PCI penetration test guidelines updated

The PCI Security Standards Council has updated its penetration testing guidance in a new publication

It explains the different components comprising a penetration test and how they differ from a vulnerability scan. The report says that, “A vulnerability assessment uses automated tools to look for known vulnerabilities across defined IP address ranges. A penetration test will always be carried out by a person, not automated, and will scan systems to identify the IP addresses, device types, operating systems and software in use.”

The guidance is intended to help organisations develop their testing the security controls and processes to protect cardholder data. In addition it defines the qualifications of a pen tester and the "three primary parts of a penetration test": pre-engagement, engagement and post-engagement. Then it concludes with test reporting guidelines and an assessment checklist.

Michael Aminzade, VP of global compliance and risk services at Trustwave commented in an email to SC: “On too many occasions we come across organisations working to become compliant with PCI DSS that think they are either already in scope or that because they don't hold any card data, they aren't in scope, which in reality isn't the case. The new guidance will help to shine a light on the weak points in an organisations payment security environment, which could leave payment card data vulnerable.

"One area most likely to be uncovered under the new guidance is inadequate segmentation and the need for businesses to test their segmented networks thoroughly to help ensure their data is secure. The guidance highlights that penetration testing is a critical tool for verifying that segmentation is appropriately placed to isolate the cardholder data environment from other networks and reduce PCI DSS scope.

"The new guidance should help businesses segment off a smaller card holder environment, helping to strengthen the protection of their card holder data. A smaller target is easier to protect. (In addition) the new guidance makes it clear that penetration testers must identify and exploit vulnerabilities. Many organisations are already doing this level of testing but the new guidance will help those who aren't.”