Sign up to save your podcasts
Or
Share What You Should Know About PCI DSS Penetration Testing - Entrepreneur Podcast Network – EPN
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
What You Should Know About PCI DSS Penetration Testing - Entrepreneur Podcast Network – EPN
The Payment Card Industry Data Security Standard (PCI DSS) is worldwide accepted set of standards that intend to enhance safety when handling information of customers in the credit, debit and cash cards.
Penetration testing has been introduced in PCI DSS process. It involves testing the security of the systems that are included in the storage, processing, and transmission of information of cardholders. It should be known that penetration testing is a crucial area of compliance with the PCI DSS requirements.
Difference between Vulnerability Scan and Penetration Test
Even thou both the vulnerability scan and the penetration test are both required in the PCI DSS compliance the two do have a difference. Vulnerability scan is an entirely automated process that scans networks for vulnerabilities.
A penetration test, on the other hand, is more than the vulnerability test since a tester aims at showing the risk of the exposed vulnerabilities to a business. Penetration testing involves a lot of work and costs more unlike the vulnerability scan that only requires the automated scan.
Types of a PCI DSS Penetration Testing
There are three types of the penetration testing which are;
In the black-box assessment the tester is not given information as he/she begins the examination. In the white-box assessment, the inspector is given all details of the networks and the applications. The grey-box penetration testing may include the tester being provided with part of the information of the systems.
Scope of a Penetration Test
The PCI DSS penetration testing is carried out on all the systems within the range of the Cardholder Data Environment (CDE). The CDE is merely the people, process, and the applications that stores, processes or transmits the cardholder data. The method of determining the scope of PCI DSS penetration testing involves the following steps;
• As noted in the guideline, it is essential for an organization to evaluate unique access to public networks and restricted access to individual IP addresses.
• Penetration testing has to be carried out in internal systems/critical systems that access the information of the cardholders. It should be noted that the critical systems are systems that process and protects the cardholder’s data.
• It is possible for penetration testing not to be carried out in a particular system. However, if the non-CDE environment is compromised, it should not at all affect the CDE.
The penetration testing is carried out on a half-yearly or annual basis. The examination is conducted by a service provider that is not in the management of the CDE. It is crucial that critical systems such as firewalls, systems that detect malicious users, authentication servers, systems that redirect e-commerce are all tested since they manage the CDE.
Importance of Penetration Testing for PCI DSS
The goal of penetration testing aims at determining whether a hacker can access the system and affect the security of files and data of the cardholders. The penetration testing also aims at checking if the scope, management of vulnerabilities, methods applied in the testing and segmentation are all in place.
Application Layer and Network Layer Testing
Application layer testing checks vulnerabilities in web applications, web services, and software integrations. Some of the areas that may require this testing are shopping carts, online questionnaires, and forms on booking. Application testing checks the operating system of an application and attempts to note areas where the information can be compromised. Application testing, however, doesn’t involve the off-the-shelf applications.
Network layer testing focus on detecting insecurity defects with infrastructure that supports the CDE environment. This includes the web servers, firewa…
View all episodes
By EPN
4.5
1717 ratings
The Payment Card Industry Data Security Standard (PCI DSS) is worldwide accepted set of standards that intend to enhance safety when handling information of customers in the credit, debit and cash cards.
Penetration testing has been introduced in PCI DSS process. It involves testing the security of the systems that are included in the storage, processing, and transmission of information of cardholders. It should be known that penetration testing is a crucial area of compliance with the PCI DSS requirements.
Difference between Vulnerability Scan and Penetration Test
Even thou both the vulnerability scan and the penetration test are both required in the PCI DSS compliance the two do have a difference. Vulnerability scan is an entirely automated process that scans networks for vulnerabilities.
A penetration test, on the other hand, is more than the vulnerability test since a tester aims at showing the risk of the exposed vulnerabilities to a business. Penetration testing involves a lot of work and costs more unlike the vulnerability scan that only requires the automated scan.
Types of a PCI DSS Penetration Testing
There are three types of the penetration testing which are;
In the black-box assessment the tester is not given information as he/she begins the examination. In the white-box assessment, the inspector is given all details of the networks and the applications. The grey-box penetration testing may include the tester being provided with part of the information of the systems.
Scope of a Penetration Test
The PCI DSS penetration testing is carried out on all the systems within the range of the Cardholder Data Environment (CDE). The CDE is merely the people, process, and the applications that stores, processes or transmits the cardholder data. The method of determining the scope of PCI DSS penetration testing involves the following steps;
• As noted in the guideline, it is essential for an organization to evaluate unique access to public networks and restricted access to individual IP addresses.
• Penetration testing has to be carried out in internal systems/critical systems that access the information of the cardholders. It should be noted that the critical systems are systems that process and protects the cardholder’s data.
• It is possible for penetration testing not to be carried out in a particular system. However, if the non-CDE environment is compromised, it should not at all affect the CDE.
The penetration testing is carried out on a half-yearly or annual basis. The examination is conducted by a service provider that is not in the management of the CDE. It is crucial that critical systems such as firewalls, systems that detect malicious users, authentication servers, systems that redirect e-commerce are all tested since they manage the CDE.
Importance of Penetration Testing for PCI DSS
The goal of penetration testing aims at determining whether a hacker can access the system and affect the security of files and data of the cardholders. The penetration testing also aims at checking if the scope, management of vulnerabilities, methods applied in the testing and segmentation are all in place.
Application Layer and Network Layer Testing
Application layer testing checks vulnerabilities in web applications, web services, and software integrations. Some of the areas that may require this testing are shopping carts, online questionnaires, and forms on booking. Application testing checks the operating system of an application and attempts to note areas where the information can be compromised. Application testing, however, doesn’t involve the off-the-shelf applications.
Network layer testing focus on detecting insecurity defects with infrastructure that supports the CDE environment. This includes the web servers, firewa…