{"id":1492,"date":"2021-07-04T09:34:00","date_gmt":"2021-07-04T07:34:00","guid":{"rendered":"http:\/\/10.24.225.70\/?p=1492"},"modified":"2026-04-16T00:28:44","modified_gmt":"2026-04-15T22:28:44","slug":"penetration-testing-guidelines-and-best-practices","status":"publish","type":"post","link":"https:\/\/complior.se\/en\/penetration-testing-guidelines-and-best-practices\/","title":{"rendered":"Penetration Testing Guidelines and Best Practices – Part 1"},"content":{"rendered":"
\n
\n
<\/svg><\/span>Tillbaka till resurser<\/span><\/a><\/div>\n\n\n\nBlog<\/span>\n\n\n\n

Penetration Testing Guidelines and Best Practices \u2013 Part 1<\/h1>\n\n\n\n
\r\n\t\r\n\t\t<\/rect>\r\n\t\t<\/line>\r\n\t\t<\/line>\r\n\t\t<\/line>\r\n\t<\/svg>\r\n\t\r\n\t\tJul 04, 2021\t<\/span>\r\n<\/div>\n\n\n

<\/svg><\/span>4 min <\/span><\/h1><\/div>\n<\/div>\n\n\n\n
\"man<\/figure>\n<\/div><\/div>\n\n\n\n
\n
\n

What does PCI DSS say about penetration testing?<\/h2>\n\n\n\n

PDI DSS does provide some guidelines to penetration testing.\u00a0What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly:<\/p>\n\n\n\n

    \n
  • Evaluate both the network and application layers<\/li>\n\n\n\n
  • Include both internal and external testing<\/li>\n<\/ul>\n\n\n\n

    While the composition of the network layer tests is left to the discretion of the tester, the standard specifies that as a minimum the following elements must be included in the application layer tests:<\/p>\n\n\n\n

      \n
    • Injection flaws, particularly SQL injection<\/li>\n\n\n\n
    • Buffer overflow vulnerabilities<\/li>\n\n\n\n
    • Insecure cryptographic storage<\/li>\n\n\n\n
    • Insecure communications<\/li>\n\n\n\n
    • Improper error handling<\/li>\n\n\n\n
    • Cross-site scripting (XSS)<\/li>\n\n\n\n
    • Improper access control<\/li>\n\n\n\n
    • Cross-site request forgery (XSRF, CSRF)<\/li>\n\n\n\n
    • Broken authentication and session management<\/li>\n\n\n\n
    • Other vulnerabilities identified as high risk during the risk assessment<\/li>\n<\/ul>\n\n\n\n

      The above list is composed of the most common accepted secure coding practices at the time that version 3.0 of the PCI DSS was published. As industry-accepted secure coding practices change (for example, the OWASP guide, SANS CWE Top 25, CERT Secure Coding, etc.), organizational coding practices are expected to be updated accordingly.

      However, the examples of secure coding resources provided (SANS, CERT, OWASP) are just suggested sources of reference, and have been included by the Council for guidance only. An organization would always be required to incorporate the relevant secure coding practices as applicable to the particular technology in their environment.

      No further guidelines or regulations are specifically provided other than what was discussed above. Wrapping up, any well-structured approach to penetration testing would be acceptable, as long as the above items are addressed and any other effort keeps revolving around cardholder data.
      In general, an advised approach would be to always assess all of the core areas of impact in application security, such as:<\/p>\n\n\n\n

        \n
      • Application Logic (client-side controls, logic flaws, etc.)<\/li>\n\n\n\n
      • Access Handling (authentication, session management, access control)<\/li>\n\n\n\n
      • Input Handling (parameter fuzzing)<\/li>\n\n\n\n
      • Application Hosting (shared hosting issues, web server security)<\/li>\n\n\n\n
      • Other miscellaneous checks (local privacy issues, generic info leakage, SSL\/TLS weaknesses, etc.)<\/li>\n<\/ul>\n\n\n\n

        When appropriately approached, testing against those areas would be enough to encompass all the required elements, possibly going beyond the intended goals of PCI DSS.<\/p>\n<\/div>\n\n\n\n

        \n

        Penetration testing of infrastructure segment<\/h2>\n\n\n\n

        With regard to the infrastructure segment of a PCI penetration test (e.g. the one that covers firewalls, routers, systems, web servers, databases, application servers, and whatever component or device which is relied upon to provide the overall service), there\u2019s no clear stance from the Council, as said above. At any rate, whatever the approach chosen here, the same basic principles should be kept in mind:<\/p>\n\n\n\n

          \n
        • Go in as much depth and breadth as possible<\/li>\n\n\n\n
        • Always be mindful of card data<\/li>\n<\/ul>\n\n\n\n

          In general, this area covers one of the most common types of tests and involves finding targets on the network, looking for openings in their under- lying operating systems and available network services, and then exploiting them remotely. It seems indeed reasonable to limit the range of the internal assessment to a network-level rather than a local perspective, meaning that focus should be specifically pointed at finding issues on remotely visible ports\/services. Indeed, in most cases, delving into a compromised host\u2019s file system or DB tables, to search for card data, wouldn\u2019t represent any added value to the whole PCI DSS audit, as that would be part of a QSA\u2019s responsibilities.

          A network-level penetration test should then concentrate all efforts in uncovering (and eventually exploiting) possible flaws affecting the targets\u2019 network services, from the perspective of a host located on the very same network segment\/subnet. Some of these network service tests happen remotely across the Internet, targeting the organization\u2019s perimeter networks. Others are launched locally, from the organization\u2019s own facilities, to evaluate the security of their internal network and\/or DMZ from within, seeing what kinds of vulnerabilities an internal user could discover.

          To such an aim, the tester\u2019s assessing host is usually required to be any-any allowed on any perimeter Firewalls. It is not however needed to whitelist the tester\u2019s host in case of possible host FWs active on target hosts.

          While a security penetration test can be quite extensive and complicated, the requirements for a QSA conducting a test in a PSI DSS environment are not very extensive. QSAs therefore need to be as thorough as possible for a penetration test to be effective.<\/p>\n<\/div>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"

          Blogg Penetration Testing Guidelines and Best Practices \u2013 Part 1 4 min What does PCI DSS say about penetration testing? PDI DSS does provide some guidelines to penetration testing.\u00a0What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly: While the composition […]<\/p>\n","protected":false},"author":2,"featured_media":73501,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"blogg","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":3,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_eb_attr":"","inline_featured_image":false,"_uag_custom_page_level_css":"","wpm_timeformat":"","_wpm_styles":"","footnotes":""},"categories":[118],"tags":[117,127,133],"class_list":["post-1492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogg","tag-blog","tag-pci","tag-penetration"],"yoast_head":"\nPenetration Testing Guidelines and Best Practices - Part 1 - Complior<\/title>\n<meta name=\"description\" content=\"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/complior.se\/en\/penetration-testing-guidelines-and-best-practices\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Penetration Testing Guidelines and Best Practices - Part 1 - Complior\" \/>\n<meta property=\"og:description\" content=\"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly\" \/>\n<meta property=\"og:url\" content=\"https:\/\/complior.se\/en\/penetration-testing-guidelines-and-best-practices\/\" \/>\n<meta property=\"og:site_name\" content=\"Complior\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-04T07:34:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-15T22:28:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1694\" \/>\n\t<meta property=\"og:image:height\" content=\"1190\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kikki Bostrom\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kikki Bostrom\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/\"},\"author\":{\"name\":\"Kikki Bostrom\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/person\\\/841f8a57425589a6d7f13c201d345016\"},\"headline\":\"Penetration Testing Guidelines and Best Practices – Part 1\",\"datePublished\":\"2021-07-04T07:34:00+00:00\",\"dateModified\":\"2026-04-15T22:28:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/\"},\"wordCount\":748,\"publisher\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/penetration-testing-guidelines-07.png\",\"keywords\":[\"Blog\",\"PCI\",\"Penetration\"],\"articleSection\":[\"Blogg\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/\",\"url\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/\",\"name\":\"Penetration Testing Guidelines and Best Practices - Part 1 - Complior\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/penetration-testing-guidelines-07.png\",\"datePublished\":\"2021-07-04T07:34:00+00:00\",\"dateModified\":\"2026-04-15T22:28:44+00:00\",\"description\":\"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#primaryimage\",\"url\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/penetration-testing-guidelines-07.png\",\"contentUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/penetration-testing-guidelines-07.png\",\"width\":1694,\"height\":1190,\"caption\":\"man inspecting requirements\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/complior.se\\\/penetration-testing-guidelines-and-best-practices\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/complior.se\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Penetration Testing Guidelines and Best Practices – Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/complior.se\\\/#website\",\"url\":\"https:\\\/\\\/complior.se\\\/\",\"name\":\"Complior\",\"description\":\"Security beyond compliance\",\"publisher\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/complior.se\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\",\"name\":\"Complior\",\"url\":\"https:\\\/\\\/complior.se\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Complior_logo_dark-scaled.png\",\"contentUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Complior_logo_dark-scaled.png\",\"width\":2560,\"height\":960,\"caption\":\"Complior\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/person\\\/841f8a57425589a6d7f13c201d345016\",\"name\":\"Kikki Bostrom\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"caption\":\"Kikki Bostrom\"},\"url\":\"https:\\\/\\\/complior.se\\\/en\\\/author\\\/kikki\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Penetration Testing Guidelines and Best Practices - Part 1 - Complior","description":"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/complior.se\/en\/penetration-testing-guidelines-and-best-practices\/","og_locale":"en_GB","og_type":"article","og_title":"Penetration Testing Guidelines and Best Practices - Part 1 - Complior","og_description":"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly","og_url":"https:\/\/complior.se\/en\/penetration-testing-guidelines-and-best-practices\/","og_site_name":"Complior","article_published_time":"2021-07-04T07:34:00+00:00","article_modified_time":"2026-04-15T22:28:44+00:00","og_image":[{"width":1694,"height":1190,"url":"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png","type":"image\/png"}],"author":"Kikki Bostrom","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kikki Bostrom","Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#article","isPartOf":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/"},"author":{"name":"Kikki Bostrom","@id":"https:\/\/complior.se\/#\/schema\/person\/841f8a57425589a6d7f13c201d345016"},"headline":"Penetration Testing Guidelines and Best Practices – Part 1","datePublished":"2021-07-04T07:34:00+00:00","dateModified":"2026-04-15T22:28:44+00:00","mainEntityOfPage":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/"},"wordCount":748,"publisher":{"@id":"https:\/\/complior.se\/#organization"},"image":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png","keywords":["Blog","PCI","Penetration"],"articleSection":["Blogg"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/","url":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/","name":"Penetration Testing Guidelines and Best Practices - Part 1 - Complior","isPartOf":{"@id":"https:\/\/complior.se\/#website"},"primaryImageOfPage":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#primaryimage"},"image":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png","datePublished":"2021-07-04T07:34:00+00:00","dateModified":"2026-04-15T22:28:44+00:00","description":"What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly","breadcrumb":{"@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#primaryimage","url":"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png","contentUrl":"https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png","width":1694,"height":1190,"caption":"man inspecting requirements"},{"@type":"BreadcrumbList","@id":"https:\/\/complior.se\/penetration-testing-guidelines-and-best-practices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/complior.se\/"},{"@type":"ListItem","position":2,"name":"Penetration Testing Guidelines and Best Practices – Part 1"}]},{"@type":"WebSite","@id":"https:\/\/complior.se\/#website","url":"https:\/\/complior.se\/","name":"Complior","description":"Security beyond compliance","publisher":{"@id":"https:\/\/complior.se\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/complior.se\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/complior.se\/#organization","name":"Complior","url":"https:\/\/complior.se\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/complior.se\/#\/schema\/logo\/image\/","url":"https:\/\/complior.se\/wp-content\/uploads\/2025\/06\/Complior_logo_dark-scaled.png","contentUrl":"https:\/\/complior.se\/wp-content\/uploads\/2025\/06\/Complior_logo_dark-scaled.png","width":2560,"height":960,"caption":"Complior"},"image":{"@id":"https:\/\/complior.se\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/complior.se\/#\/schema\/person\/841f8a57425589a6d7f13c201d345016","name":"Kikki Bostrom","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","caption":"Kikki Bostrom"},"url":"https:\/\/complior.se\/en\/author\/kikki\/"}]}},"uagb_featured_image_src":{"full":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png",1694,1190,false],"thumbnail":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-150x150.png",150,150,true],"medium":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-300x211.png",300,211,true],"medium_large":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-768x540.png",768,540,true],"large":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-1024x719.png",1024,719,true],"1536x1536":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-1536x1079.png",1536,1079,true],"2048x2048":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07.png",1694,1190,false],"trp-custom-language-flag":["https:\/\/complior.se\/wp-content\/uploads\/2021\/08\/penetration-testing-guidelines-07-18x12.png",18,12,true]},"uagb_author_info":{"display_name":"Kikki Bostrom","author_link":"https:\/\/complior.se\/en\/author\/kikki\/"},"uagb_comment_info":0,"uagb_excerpt":"Blogg Penetration Testing Guidelines and Best Practices \u2013 Part 1 4 min What does PCI DSS say about penetration testing? PDI DSS does provide some guidelines to penetration testing.\u00a0What the PCI standard explicitly mandates about penetration testing is illustrated in Requirement 11.3, requiring organizations to perform annual penetration tests that would mainly: While the composition…","_links":{"self":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/1492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/comments?post=1492"}],"version-history":[{"count":2,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/1492\/revisions"}],"predecessor-version":[{"id":80500,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/1492\/revisions\/80500"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/media\/73501"}],"wp:attachment":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/media?parent=1492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/categories?post=1492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/tags?post=1492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}