Penetration (pen) testing identifies network vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
What does penetration testing mean?
The definition of penetration testing:
- Ethically attacking a computer system and/or a firewall to find security weaknesses
- Ethically exploiting any weaknesses found in an IT network environment
- Requires a certified ethical hacker (CEH), otherwise know as a white hat hacker, performing the attacks
What is the PCI requirement related to penetration testing?
- Requirement 11.3 in the Data Security Standard (DSS) defines the internal (11.3.1) and external (11.3.2) pen testing methodology
- Three SAQs require pen testings, specifically SAQ A-EP, SAQ D, and SAQ C (only if network is segmented, 11.3.4)
- Performed annually or after any significant IT network infrastructure, application upgrade, or modification
What does a typical penetration (pen) tester or testing service do?
- Attacks from inside the network to see if data can get out
- Attacks from outside the network to see if the CEH can break into the network
- If the cardholder data environment (CDE) is segmented from the rest of the network, look for security weaknesses between segments
What happens after a typical penetration test?
A penetration (pen) tester or testing service should create and deliver a comprehensive report of key findings, recommendations and remediation actions.
- Complete proposed remediation actions
- Repeat pen testing per Requirement 11.3.3
Are you looking to complete do a penetration (pen) test on your network?
We can help! NuArx has experienced CEHs/penetration testers on our team, as well as deep domain expertise as both a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). We’re a leading provider of PCI compliance and security services. Contact us ⇨ to get started with a pen test or give our solution team a call at 877.556.8279.