The body that administers the payment card industry data security standard (PCI DSS) has published a guide on penetration testing.
According to the Verizon report, compliance between 2013 and 2014 increased by 18% on average for 11 of the 12 PCI DSS requirements.
But among organisations that met 95% of the controls, more than half failed requirement 11 for regularly testing security systems and processes.
The Penetration Testing Guidance – published by the Payment Card Industry Security Standards Council (PCI SSC) – is aimed at helping organisations establish a strong methodology for regularly testing security controls and processes in accordance with PCI DSS requirement 11.3.
Read more about the PCI SSC
- The Payment Card Industry Security Standards Council (PCI SSC) has published a guide to help organisations better educate employees on information security.
- The latest Verizon report on compliance with the payment card industry data security standard (PCI DSS) should be a wake-up call for businesses.
- The Payment Card Industry Security Standards Council (PCI SSC) has applauded US president Barack Obama’s one-day summit meeting in Silicon Valley on tackling cyber crime.
Benefits of penetration testing
According to the PCI SSC, organisations can use penetration testing to identify vulnerabilities, to determine whether unauthorised access to their systems or other malicious activity is possible.
Penetration testing is a critical tool to verify that appropriate segmentation is in place to isolate the cardholder data environment from other networks, and to reduce PCI DSS scope, the council said.
The PCI SSC said networks considered out of scope are often compromised because of poor segmentation methods.
The guide, developed by a PCI Special Interest Group of industry experts, aims to help organisations of all sizes, budgets and sectors evaluate, implement and maintain a penetration testing methodology.
Testing methodology best practice
Best practice addresses:
- Understanding the different components that make up a penetration test;
- Determining the qualifications of a penetration tester;
- Understanding penetration methodologies;
- Developing a comprehensive penetration test report.
The guide updates guidance published in 2008 and includes three case studies and a quick-reference guide for navigating the penetration testing requirements.
“Penetration testing is a critical component of the PCI DSS,” said Troy Leach, PCI SSC chief technology officer.
“It shines a light on weak points in an organisation’s payment security environment which, if unchecked, could leave payment card data vulnerable.”