PCI Penetration Testing. ASV, QSA, Internal, Third-party?
As a Qualified Security Assessor Company (QSAC) we often get asked by our clients if they are able to fulfil their ongoing PCI penetration testing requirements in-house. The short answer is it depends.
PCI DSS requirement 11.3 covers an organisations requirement for conducting an annual internal and external penetration test – including application tests. This differs from PCI DSS requirement 11.2 which addresses an organisations requirement for running quarterly internal and external network vulnerability scans. The latter must be run by an Approved Scanning Vendor (ASV). Both requirements must be performed at the mandated intervals or when significant changes take place in the network, infrastructure and applications (including upgrades).
There are key differences in the two requirements from a technical perspective as well. The vulnerability assessment identifies and reports noted issues, while the penetration test attempts to exploit the vulnerabilities to determine the extent of the issues and full business impact. The penetration testing is more manual and comprehensive than the vulnerability scans, and also must include application layer tests.
Applying the PCI SSC guidance, the annual penetration test does not strictly need to be conducted by a party external to your organisation. However, the testing does need to be performed by a suitably qualified party who are organisationally separate from the management of the systems being tested. The penetration test should be appropriate for the complexity and size of the organisation and include all in-scope locations. Both the penetration testing methodologies (black box/white box and types of tests) and results should be documented, and the scope must include all systems and networks in the cardholder data environment. These requirements may be difficult to demonstrate for smaller organisations with limited resources.
Other organisations prefer to outsource these requirements to an organisation which is totally focused on the delivery of these expert services and is able to deliver comprehensive independent results. At the end of the day conducting penetration testing should not just be about meeting your compliance obligations – it should lead to an improved security posture, and many believe this is best addressed by engaging a specialist firm.
About the Author
Sense of Security is Australia’s premier provider of a range of IT security and risk management solutions. Its services include IT security reviews, penetration testing, audit and PCI compliance. Sense of Security provides PCI compliance services through its team of QSA’s to many of the countries leading organisations.
External Firewire PCI card for Laptop
|
|
Ocean Potion Suncare Dark Tanning Xteme Intensifier with Instant Bronzer 8.5 fl oz (251 ml) $5.29 WIRELESS AIRDOCK 54G NETWORK USB INTERNET ADAPTER FOR APPLE MAC AirDock Mini turns any computer with an Ethernet port into a wireless capable machine, able to connect to and access Wi-Fi networks. We will include a Windows driver disk as well, so it is truely universal compatible with every computer you own The AirDock Mini lets you breathe new life in your older Mac models such as iBooks, G3’s,… |
|
|
Intel PRO/Wireless 2200BG 802.11b/g Wireless Network Adapter $14.00 INTEL (WM3B2200BGMWXF) An embedded 802.11 b/g Mini PCI Type 3B adapter operating in the 2.4 GHz spectru… |
|
|
Siig Inc Low Profile 1394 Adapter FireWire adapter – Plug-in card – low profile – PCI $40.59 A low profile card form factor made for space constrained system designs; Two external and one internal IEEE 1394 (FireWire) ports support DV camcorders/cameras, hard disk drives, removable drivers, scanners, printers and other 1394 audio/video devices in… |
|
|
Startech Com 4 Port Firewire Ilink 1394 Pci Card Supports Hot-Swappable Connectivity $26.29 Notice: Customers should thoroughly inspect all cartons for damage before signing for the shipment. Damage: Must be reported within 15 days from delivery date. Shortage/Fallout: Must be reported within 15 days from delivery date. Loss: Must be reported within 30 days from ship-date. If you have any other questions about the product, please contact us any time…. |
|
|
Titan BIANCA TWC-A05 water cooling kit $86.46 … |
|
|
$17.58 shipped–$16.93 shipped–11N PCI-E Wireless 300M LAN Card with External Antenna (Green) $17.58 This is an 11N 300M PCI wireless LAN card. |
|
|
3FT PCIE 1XEXTERNAL CABLE $59.99 StarTech.com External PCI Express x1 Extension Cable – External PCI Express x1 cable – 18 pin TDP connector (M) – 18 pin TDP connector (M) – 3 ft – black |
|
|
Adaptec SAS/SATA III 6445 1-Port RAID Controller $582.99 Adaptec 2270200-R 6445 RAID Controller Card – SAS/SATA III (6Gb/s), 8-Port (4 Internal/4 External), PCI-Express 2.0 (x8), 512MB DDR2 Cache, RAID 0, 1, 1E, 5, 5EE, 6, 10, 50, 60, JBOD, Low Profile |
|
|
Adaptec SAS/SATA III 6445 1-Port RAID Controller $582.99 Adaptec 2270200-R 6445 RAID Controller Card – SAS/SATA III (6Gb/s), 8-Port (4 Internal/4 External), PCI-Express 2.0 (x8), 512MB DDR2 Cache, RAID 0, 1, 1E, 5, 5EE, 6, 10, 50, 60, JBOD, Low Profile |
|
|
Adaptec SAS/SATA III Series 5 RAID Controller Card $879.99 Adaptec 2258600-R Series 5 RAID Controller Card – SAS/SATA III (6Gb/s), 20-Port (16 Internal/4 External), PCI-Express (x8), 512MB DDR2 Cache, RAID 0, 1, 1E, 5, 5EE, 6, 10, 50, 60, SSD Support |
Related Articles
No user responded in this post
Leave A Reply