New PCI SSC penetration testing guidance

Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2015 PCI Compliance Report shows that it had the lowest rate of compliance, with the percentage of compliant companies dropping from 40 to 33% in 2014.

Vulnerability scanning or penetration testing?

The Verizon PCI Compliance Report notes that ‘[the] terms “vulnerability scanning” and “penetration testing” are often misunderstood by organizations. A vulnerability assessment uses automated tools to look for known vulnerabilities across defined IP address ranges… Penetration testing goes a step further. A penetration tester – such tests will always be carried out by a person, not automated – will scan systems to identify the IP addresses, device types, operating systems and software in use. This will enable the tester to identify likely vulnerabilities, which they will try to exploit to identify and evaluate weaknesses in networks and applications. A thorough penetration test may also include using physical and social engineering techniques.’

PCI SSC Information Supplement: Penetration Testing Guidance

Ahead of the introduction of PCI DSS version 3.1 in April, the PCI SSC (Security Standards Council) has published new guidance on penetration testing for organisations “of all sizes, budgets, and industries.”

The guidance focuses on “the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network-layer testing, segmentation attacks, and social engineering”; “the qualifications of a penetration tester”; “the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement”; and “developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included”.

IT Governance PCI penetration testing services

IT Governance is a CREST-accredited penetration testing service and a PCI QSA (Qualified Security Assessor), and is qualified to conduct vulnerability scans and penetration tests to ensure your compliance with standards including the PCI DSS and ISO 27001. Our team of consultants have an extensive understanding of cardholder data flow, payment card systems and IT security.

For more information on IT Governance’s penetration testing packages, please click here >>