Technical testing has a long-standing legacy in PCI DSS. Even from the days of the old CISP and SDP standards, technical testing has been a critical component of demonstrating compliance. Over the years, testing has evolved from simple external scans to full penetration testing that requires testers to prod all layers of the OSI model. In PCI DSS 3.0, the Standard requires that you use an industry-accepted penetration-testing methodology, which could lead to confusion. They do cite NIST SP 800-115 as an example methodology and the Penetration Testing Guidance (March 2015) by the Council, which at least gives you a place to start. Penetration testing is not something that you should take lightly, and not something ...