PCI Cardholder Environment Penetration Testing
Hackers seeking to compromise your data do not utilize commercial scanners that cost tens or hundreds of thousands of dollars. Our unique penetration testing methodology combines the best parts of commercial tools, open source, manual and script-targeted attacks to identify weaknesses in perimeter or internal host, application, and network security.
We test commonly known vulnerabilities, various iterations and patch levels of those vulnerabilities, as well as common misconfigurations. This approach will better align your organization for other technical controls which are required during the process of complying with various standards, such as PCI-DSS – providing a framework for measured response.
The reality is that most cardholder environment compromises begin with a host that is outside the environment. This means that holistic security is paramount, and that taking the narrow view of protecting only the CHE is likely to cause more problems than it solves. Being prepared and performing thorough testing will help prevent incidents.
PCI Penetration Testing Requirements
The Payment Card Industry Data Security Standard mandates that organizations who handle cardholder data must perform external, internal, and web application penetration testing, specifically:
- 6.6 – For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools.
- 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
© 2014 Critical Assets - All Rights Reserved