But what about Pen Testing from inside the CDE? Is that required?
PCI 3.x has no requirement to Pen Test from within the CDE. This is a common misunderstanding, propagated by a long-standing lack of guidance. With the March 2015 Information Supplement: Penetration Testing Guidance, we were finally able to address this directly:
"It is not a requirement to test from within the CDE to the servers inside the CDE; and testing exclusively from within the CDE perimeter will not satisfy the requirement. However, when access to the CDE is obtained as a result of the testing, the penetration tester may elect to continue exploring inside the network and further the attack against other systems within the CDE, and may also include testing any data-exfiltration prevention (data-loss prevention) controls that are in place."
This is not a requirement and should only be done with care. When we have compromised the CDE of a organization, we will examine data-exfiltration controls and egress rules any time it is safe to do so.
Hopefully this information can clear up any misconceptions about scanning and scope and what’s required for the latest version of the Standard.