The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.
Information Supplement: Penetration Testing Guidance, v1 March 2015, replaces the PCI SSC's original penetration testing information supplement titled "Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing" published in 2008.
The scope of a penetration test is defined in PCI DSS Requirement 11.3. It must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).
The information supplement is comprised of the following sections:
- Penetration testing components: Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network- layer testing, segmentation checks, and social engineering
- Qualifications of a penetration tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
- Methodology: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement
- Reporting and documentation: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included
- Case studies / scoping examples.
Hopefully this will help organisations define more consistent objectives and requirements for penetration tests, improving the quality, and thus benefits of doing such testing.
Posted on: 07 April 2015 at 06:39 hrs