If your organization is required to be PCI compliant, don’t procrastinate beginning the penetration test process.
*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.
If your organization is required to be PCI compliant, don’t procrastinate beginning the penetration test process. Finding and engaging a good penetration testing partner can take more time than you realize.
In performing PCI assessments, it is common to see an organization’s penetration testing process, from start to finish, taking as long as everything else involved in the assessment combined. If you wait until your QSA is onsite, or until your SAQ is due, to discuss penetration test scope, methodology, and objectives, you may be unable to meet your PCI compliance deadlines. Start thinking about penetration testing months before your PCI deadlines.
Remember, the required annual penetration test can begin before your PCI assessment, but you can’t be validated as PCI compliant before the testing is finished.
Like other areas of the PCI DSS, the version 4.0 update includes additions and clarifications that impact an organization’s vulnerability discovery, testing, and treatment programs.
New internal vulnerability scanning requirements now call for “authenticated” internal scanning. This allows the scanner to simulate a user with access to systems, to better catch vulnerabilities that existing applications and other software that require users to log in first.
Organizations are now required to define and document their own penetration testing methodology. By doing this, you will be able to clearly communicate infrastructure details, unique attributes of systems and applications, and testing goals and requirements to the penetration testing partner you engage. This allows for more effective testing and more useful results, all in an effort to better secure your environment.
.svg)
