Requirement 11 of the PCI DSS describes the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.
Regular testing is fundamental to ensuring that an organisation is prepared for the full range of attacks that companies have to face.
To purchase one of our penetration testing services, click the links below or call our team today on 00 800 48 484 484.
PCI compliance, especially for Reports on Compliance (ROCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans, and frequent penetration tests.
PCI DSS Requirement 11.3 addresses penetration testing, which is different from the external and internal vulnerability assessments required by PCI DSS Requirement 11.2. A vulnerability assessment simply identifies and reports on vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorised access or other malicious activity is possible. Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from both outside the network trying to come in (external testing) and from inside the network.
The goals of penetration testing are:
Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.
* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
++ For service providers any network segmentation must be tested every six months
1 Or after any change to the application. Applicable if developing own applications or using a 3rd party non-PCI-certified web application
Please note that IT Governance routinely provides this service remotely for organisations located outside the United Kingdom. We can also offer an on-site presence, but consultant expenses related to travelling , etc. will need to be absorbed as an additional cost.