PCI Council Publishes Guidance On Penetration Testing

Recommendations to help organizations address top security challenge area.

 According to a 2015 report on PCI compliance from Verizon, testing security systems is the only area within the PCI Data Security Standard (PCI DSS) where compliance fell over the past year. Today the PCI Security Standards Council published Penetration Testing Guidance to help organizations establish a strong methodology for regularly testing security controls and processes to protect the cardholder data environment in accordance with PCI DSS Requirement 11.3.

Organizations can use penetration testing to identify and exploit vulnerabilities to determine whether unauthorized access to their systems or other malicious activity is possible. It is also a critical tool for verifying that segmentation is appropriately in place to isolate the cardholder data environment from other networks and to reduce PCI DSS scope. Often times, networks considered out of scope are compromised because of poor segmentation methods.

Developed by a PCI Special Interest Group of industry experts, the new guidance aims to help organizations of all sizes, budgets and sectors evaluate, implement and maintain a penetration testing methodology. Best practices address:

·      Penetration Testing Components: Understanding of the different components that make up a penetration test.

·      Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.

·      Penetration Testing Methodologies: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement.

·      Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetration test report.

An update to PCI guidance published in 2008, the document also includes three case studies which illustrate the various concepts presented within the document, as well as a quick-reference guide to assist in navigating the penetration testing requirements. The Penetration Testing Guidance is available for download on the PCI SSC website here.

Read more – http://www.darkreading.com/risk/pci-council-publishes-guidance-on-penetration-testing/d/d-id/1319646

Blog anglais