Scroll Top

PCI Updates Penetration Testing Guidance

PCI Updates Penetration Testing Guidance
0
By Jeffrey Jones IT Assessment it security audit Penetration Testing in MA April 21, 2015

The Payment Card Industry (PCI) Council has updated their guidance on penetration testing. The guidance provides specifics about misconceptions surrounding Penetration Testing. penetration-testing-new

Specifically the guidance provides

  • The Differences between a vulnerability assessment and penetration test
  • It defines the Card Holder Environment meaning both internal and external facing devices must be pen tested annually
  • It provides acceptable credentials for the penetration tester
  • The different types of testing that should occur
  • The restrictions that must be placed or not placed on the test
  • The methodology of what the Pen Test should consist of
  • When Penetration Testing should be performed

Here is an example excerpt 

“Each environment has unique aspects/technology that requires the tester select the most appropriate approach and the tools necessary to perform the penetration test. It is beyond the scope of this document to define or outline which approach, tools, or techniques are appropriate for each penetration test. Instead, the following sections provide high-level guidance on considerations for the approach, tools, or techniques. Penetration testing is essentially a manual endeavor.

In many cases, tools exist that can aid the tester in performing the test and alleviate some of the repetitive tasks. Judgment is required in selecting the appropriate tools and in identifying attack vectors that typically cannot be identified through automated means. Penetration testing should also be performed from a suitable location, with no restrictions on ports or services by the Internet provider.

For example, a penetration tester utilizing Internet connectivity provided to consumers and residences may have SMTP, SNMP, SMB, and other ports restricted by the Internet provider to minimize impact by viruses and malware. If testing is performed by a qualified internal resource, the test should also be performed from a neutral Internet connection unaffected by access controls that might be present from the corporate or support environments.”

Click Below to view PDF from the PCI Council

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

 

0
Jeffrey Jones / About Author
Jeff Jones is a Cyber Security Architect and Ethical Hacker for Topgallant Partners. He has been in Data Communications for over 35 years. He responsible for all day-to-day operations, technical consulting, and security design for Topgallant.

His expertise is in Security Program Design, Security Risk Analysis and Assessment and Cyber Security Testing to include Penetration Testing, Vulnerability Testing, Social Engineering, Phishing, Wi-Fi Exploitations, Password Cracking, Man-in-the Middle Attacks and Web Application Hacking.

He has a M.A. in Computer Resources Management from Webster University and a B.A. in Journalism from Purdue University. He is also a terrible golfer.
More posts by Jeffrey Jones
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required