The article’s view about regular penetration testing is interesting. Understandably, from the perspective of a business, regular penetration testing is an expensive waste. In the best case, it simply costs money to run the tests or hire an external evaluator to run the tests. In the worst case, it uncovers security holes which require even more money to fix. But truly, this is better in the long run for both businesses and users.
Obviously, users benefit from the knowledge that sites on which they have stored or used their credit card information are regularly tested for security vulnerabilities, providing some assurance that vulnerabilities are not present.
Companies benefit by avoiding costly and damaging loss of user data due to a security breach, and (we always hope) the fines and penalties that come from the government in investigations afterward.
It is the responsibility of businesses working with this (and other) sensitive information to meet reasonable standards of security, and I believe that includes regular penetration testing.
As a final aside, I will say that recently some friends discovered a major security flaw in a system we use which they reported, and which has since been fixed. The flaw compromised private records of all users, including potentially providing access to credit card information. It likely existed in the system for years, and would have likely been found by any qualified outside penetration testing. There are real problems with the current status quo on this issue.
I actually agree and for most (definitely not all, but most) businesses that have more than 20k transactions it will be feasible to do yearly pen testing.
My problem with the requirement is more in the phrasing of it. It’s yearly and
after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)
Unless you get a lawyer and actually go to court to define what this means, it’s completely open to interpretation. It could mean that any major version of your code needs a new test, any change to your infrastructure needs a new test, patching your operating system (especially on windows) happens monthly usually, and if you’re in a growth phase then adding servers is common. For a startup where change is the norm and especially if you’re in a growth phase, the worst-case scenario means you have to do weekly pentesting, which is obviously absurd. I don’t think the PCI council would require such an extreme, but it’s the language of not only this requirement but a wide array of other requirements that make it practically impossible to comply fully.