PCI DSS: Fulfilling your scanning and testing requirements

Too often, organisations rely on vulnerability scans to identify weaknesses in their organisation. They are told that vulnerability scanning is as good as penetration testing and that it will be enough to meet the compliance requirements of the PCI DSS (Payment Card Industry Data Security Standard).

However, scanning and testing perform two different jobs, and the PCI DSS mandates that you conduct both on a regular basis. Anyone who says otherwise is wrong.

What is vulnerability scanning?

Organisational vulnerabilities are unavoidable – not only because of frequent changes to applications and systems but also because firewalls are designed to leave certain ports open for email and other Internet-based services. However, organisations should always know where these vulnerabilities are, because it allows them to address weaknesses that can be fixed and prepare for attacks against those that can’t. That’s where vulnerability scanning helps.

As the name suggests, vulnerability scans root out an organisation’s weaknesses. Organisations can use a variety of tools, each of which essentially runs a series of if–then scenarios that are designed to identify system settings or actions that contain known vulnerabilities. A completed scan will provide a logged summary of alerts for the organisation to act on.

The PCI DSS mandates that vulnerability scans be conducted quarterly or whenever significant changes are made to the organisation’s networks.

What is penetration testing?

Penetration tests are much more rigorous than vulnerability scans. They are designed to not only identify weaknesses in an organisation’s system architecture but also actually exploit them. This demonstrates to an organisation exactly how a cyber criminal would infiltrate its systems and what information they could access. Armed with this knowledge, organisations can pinpoint how effective their security controls are and which areas need to be improved.

The testing process can be invasive because, for all intents and purposes, your organisation is under attack. You’ll therefore need to conduct the test outside of working hours or let the relevant people know about the test in advance. You’ll also need to hire a qualified professional to oversee the process, as penetration testing involves a very nuanced set of skills and must be performed by someone who is bound to ethical standards. If someone in your organisation performed the test, they might influence the test to reflect their own bias. Worse yet, they might use the test as a dry-run for an insider attack.

There are four types of penetration test, each with its own focus:

Organisations don’t need to conduct penetration tests as often as vulnerability scans – once a year or whenever system architecture is significantly altered should suffice.

Security testing and the PCI DSS

For more advice on vulnerability scanning and penetration testing, take a look at our green paper: Security testing and the PCI DSS.

This free guide unpacks the complexities of the Standard, helping organisations understand how they can achieve and maintain compliance. It provides practical guidance on how to test the security of your systems and processes, and better protect the payment card information you store.

Download now >>