Licensees must conduct test of their IT infrastructures and core systems to verify the robustness of the security control measure that is in place to prevent security breaches. These tests, among others, must include penetration testing and vulnerability assessment of the IT infrastructure. The test must be undertaken by an external independent party that have security professionals, such as ethical hackers, and not by employees of the licensee or entities associated with the licensee.