PCI Testing

Penetration Testing for the Business

The major question that we should ask ourselves is whether penetration testing is mandatory? PCI test is a crucial process if your business has to remain safe. A lot of unguided speculations have been running around the media, due to misinformation. Traders rely on untested facts, which exposes them to possible fines because of lack of compliance. Any business person should first consider evaluating his or her PCI compliance. Therefore, linking with experts in the field of PCI would improve the performance of validation.

The frequently asked question.

Through our process to provide knowledge on PCI, we encounter different questions. Subsequently, we strive to give well-informed feedback for the benefit of our clients.

Question: in the version 3.0, the regulations state that I should apply for penetration testing. While doing the test in version 2.0, I did not find any restrictions based on future improvements. Besides, is it a MUST to have version 3.0 testing?

Answer: version 3.0 penetration is a requirement by the PCI DSS. Although the testing is not new compared to the version 2.0, there have been some improvements. The decision to restructure the guideline was arrived at after the council realized the importance to heighten security of the cardholder. It is, therefore, a must for any trader to conduct the PCI test in version 3.0

Key Changes in Penetration PCI

The following paragraph will show the critical changes in PCI penetration

  • The methodology adopted to test PCI penetration should be acceptable in industry-based
  • Testing should cover the applications and networks to ascertain for vulnerabilities.
  • The trader should perform penetration on both internal and external networks, on an annual basis. Furthermore, the business can conduct penetration due to change of network infrastructure or on request.
  • Any problem identified in the process of testing should be solved and retested to ensure it’s cleared.

Additionally, the following posts would guide you in understanding the penetration process:

https://www.pcicomplianceguide.org/the-top-5-questions-to-ask-a-prospective-penetration-tester/

https://www.pcicomplianceguide.org/dont-be-fooled-theres-no-such-thing-as-an-automated-penetration-test/

The PCI Security Standard Council has provided penetration guidance document. Use the link provided to access the same:

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.

Leave a Reply

Your email address will not be published. Required fields are marked *