Penetration testing, also known as pen testing, identify IT network vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
What does penetration testing mean?
The definition of penetration testing:
- Ethically attacking a computer system and/or a firewall to find security weaknesses
- Ethically exploiting any weaknesses found in an IT network environment
- Requires a certified ethical hacker (CEH), otherwise know as a white hat hacker, performing the attacks
What is the PCI requirement related to penetration testing?
- Requirement 11.3 in the Data Security Standard (DSS) defines the internal (11.3.1) and external (11.3.2) pen testing methodology
- Three SAQs require pen testings, specifically SAQ A-EP, SAQ D, and SAQ C (only if network is segmented, 11.3.4)
- Performed annually or after any significant IT network infrastructure, application upgrade, or modification
What does a typical penetration (pen) tester or testing service do?
- Attacks from inside the network to see if data can get out
- Attacks from outside the network to see if the CEH can break into the network
- If the cardholder data environment (CDE) is segmented from the rest of the network, look for security weaknesses between segments
What happens after a typical penetration test?
A penetration (pen) tester or testing service should create and deliver a comprehensive report of key findings, recommendations and remediation actions.
- Complete proposed remediation actions
- Repeat pen testing per Requirement 11.3.3
Are you looking to complete do a penetration (pen) test on your network?
We can help! NuArx has experienced CEHs/penetration testers on our team, as well as deep domain expertise as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). We’re a leading provider of PCI compliance and security services. Contact us ⇨ to get started with a pen test or give our solution team a call at 877.556.8279.