PCI Penetration Testing and Requirement 11
Requirement 11 of the PCI DSS standard for achieving PCI compliance mandates the need for internal and external penetration testing at least once a year and after any significant infrastructure, application upgrade or operating system change. The PCI DSS also requires regular quarterly internal and external vulnerability scanning. In addition to the quarterly vulnerability scans they should also be undertaken when there are any changes to the network or system components. The external vulnerability scanning must be undertaken by an approved scanning vendor (ASV). However, there is a great deal of confusion as to what the PCI DSS actually means by each term and what the essential differences are between PCI vulnerability scanning and PCI penetration testing. There is also a huge difference between the potential issues found during each type of PCI compliance test and generally a lack of understanding as to what ASV vulnerability scanning / penetration testing results actually mean.
This page is dedicated towards providing the answers to the above and towards giving pragmatic advice surrounding both ASV scanning and PCI penetration testing.
Limitations of ASV Scanning
ASV scanning is an excellent and critical tool in the auditing for security flaws. It gives excellent and important coverage and is cost effective allowing multiple tests to be executed and re-tested within any given period. It is however, limited in that certain flaws in infrastructure and particularly application security can only be located using manual PCI penetration testing executed by experienced penetration testing teams.
What is PCI Penetration Testing
PCI penetration testing is very different to PCI ASV scanning in that a full (rather than automated) PCI penetration test is undertaken. This should be overseen by penetration testing teams that are conversant with the PCI standard although in practice, this is not necessarily the case.
Engaging a PCI penetration testing firm
With the above in mind, Group 4 Networks penetration testing team works very closely with your team to ensure that you receive not only in-depth PCI penetration testing services, but that such testing is set in context of what the PCI DSS actually requires for a particular site.