The Payment Card Industry Data Security Standard (PCI DSS) requires all organizations that store, process, or transmit credit card data to adhere to specific credit card security requirements approved and endorsed by the various card brands such as Visa, MasterCard, American Express, and Discover.

Section 11.3 of the PCI DSS requires organizations to perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

What is a Penetration Test?

A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-users’ adherence to security policies.

PCI DSS compliant penetration testing must meet specific guidelines:

• Penetration testing methodology must be based on industry-accepted approaches such as NIST SP800-115.
• Testing must include the entire cardholder data environment (CDE).
• Testing must be performed from an external and internal perspective.
• Segmentation controls, or controls that reduce the scope of the CDE, must be tested for effectiveness.
• The assessment needs to include both application-layer and network-layer testing.
• Any exploitable vulnerabilities must be addressed and retested.

Conformance’s Cyber Attack Readiness Toolkit designed for Small-to-Midsize Merchants

We offer an economical alternative for smaller merchants that have a single e-commerce site.