PCI Updates Penetration Testing Guidance

The Payment Card Industry (PCI) Council has updated their guidance on penetration testing. The guidance provides specifics about misconceptions surrounding Penetration Testing. penetration-testing-new

Specifically the guidance provides

  • The Differences between a vulnerability assessment and penetration test
  • It defines the Card Holder Environment meaning both internal and external facing devices must be pen tested annually
  • It provides acceptable credentials for the penetration tester
  • The different types of testing that should occur
  • The restrictions that must be placed or not placed on the test
  • The methodology of what the Pen Test should consist of
  • When Penetration Testing should be performed

Here is an example excerpt 

“Each environment has unique aspects/technology that requires the tester select the most appropriate approach and the tools necessary to perform the penetration test. It is beyond the scope of this document to define or outline which approach, tools, or techniques are appropriate for each penetration test. Instead, the following sections provide high-level guidance on considerations for the approach, tools, or techniques. Penetration testing is essentially a manual endeavor.

In many cases, tools exist that can aid the tester in performing the test and alleviate some of the repetitive tasks. Judgment is required in selecting the appropriate tools and in identifying attack vectors that typically cannot be identified through automated means. Penetration testing should also be performed from a suitable location, with no restrictions on ports or services by the Internet provider.

For example, a penetration tester utilizing Internet connectivity provided to consumers and residences may have SMTP, SNMP, SMB, and other ports restricted by the Internet provider to minimize impact by viruses and malware. If testing is performed by a qualified internal resource, the test should also be performed from a neutral Internet connection unaffected by access controls that might be present from the corporate or support environments.”

Click Below to view PDF from the PCI Council

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

 

0

Leave a comment