An Explanation Of What PCI Penetration Testing Is
This is a variant form of Penetration Test that we offer in addition to our normal format of such a vulnerability assessment. It is designed to discover any potential gaps or weaknesses within the network security of your company’s computer systems while at the same time comparing the results to the expected standards of the PCI-DSS. Every firewall, web site, web program, and computer application that is part of your network will be vigorously tested during this process. The end result is to determine the possibility of an outside entity gaining access to your computer network, or to determine if there is a risk to the sensitive cardholder information that is dealt with in the processing of credit cards.
Penetration Testing of this sort is bound to follow the standards set forth by PCI-DSS Requirement 11.3, which states the following:
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
- 11.3.1 Network-layer penetration tests
- 11.3.2 Application-layer penetration tests
In short, during this type of test, we will be attempting to break into the credit card environment of your computer system in the following three ways:
- Externally – From the Internet
- Internally – From the local network
- Internally – Attempt to break something within the credit card environment
The Many Benefits Of PCI Penetration Testing
The multifaceted and extremely thorough nature of this assessment is one of its greatest values. Not only will you be made aware of any ways or means in which your established expectations of information security safeguards are not being met, we will also be able to advise you of any new methods or procedures which might be added to your existing set-up in order to raise the standard your company sets for information security and consumer confidence to the highest level.
While not required by every company out there that either deals with or accepts credit cards as a form of payment, if you are Level 1, then yes, you need this vulnerability assessment. Other than that, there are certain circumstances that require a PCI Penetration Test. Consult with one of our Certified Information Privacy Professionals to learn more and figure out if your company needs Penetration Testing.