Creating a PCI 11.3 Penetration Testing Report in Metasploit

Last updated at Mon, 05 Feb 2024 21:38:39 GMT

PCI DSS Requirement 11.3 requires that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". You can either conduct this PCI penetration test in-house or hire a third-party security assessment. Metasploit Pro offers a PCI reporting template, which helps you in both of those cases. If you are conducting the penetration test in-house, it helps you document compliance to your QSA. If you are hiring a third-party penetration tester, Metasploit Pro can help you assess the security of your environment in advance so you pass your audit.

Metasploit Pro tests for and reports on these PCI requirements:

• PCI Requirement 2.2.1: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
• PCI Requirement 2.3: Encrypt all non-console administrative access such as browser/Web-based management tools.
• PCI Requirement 6.1: Ensure that all system components and software have the latest vendor-supplied security patches installed. Deploy critical patches within a month of release.
• PCI Requirement 8.2: Employ at least one of these to authenticate all users: password or passphrase; or two-factor authentication (e.g., token devices, smart cards, biometrics, public keys).
• PCI Requirement 8.4: Render all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards.
• PCI Requirement 8.5: Ensure proper user authentication and password management for non-consumer users and administrators on all system components.
• PCI Requirement 8.5.8: Do not use group, shared, or generic accounts and passwords, or other authentication methods.
• PCI Requirement 8.5.10: Require a minimum password length of at least seven characters.
• PCI Requirement 8.5.11: Use passwords containing both numeric and alphabetic characters.

Attached, you'll find a sample Metasploit PCI DSS report. To test the software in your environment, download Metasploit now.