11.4.7—Additional requirement for third-party hosted/cloud service providers only: Third-party hosted/cloud service providers support to their customers for external penetration testing per Requirement 11.
>Requirement Description
Additional requirement for third-party hosted/cloud service providers only: Third-party hosted/cloud service providers support to their customers for external penetration testing per Requirement 11.4.3 and 11.4.4. Applicability Notes This requirement applies only when the entity being assessed is a multi-tenant service provider. To meet this requirement, multi-tenant service providers may either: Provide evidence to its customers to show that penetration testing has been performed according to Requirements 11.4.3 and 11.4.4 on the customers’ subscribed infrastructure, OR Provide prompt access to each of its customers, so customers can perform their own penetration testing. Evidence provided to customers can include redacted penetration testing results but needs to include sufficient information to prove that all elements of Requirements 11.4.3 and 11.4.4 have been met on the customer’s behalf. Refer also to Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.