News

PCI council publishes guidance on computer systems penetration testing

The document offers recommendations for testing methodology, case studies, and a quick-reference guide to assist in navigating testing requirements.

April 14, 2015

The PCI Security Standards Council has published penetration testing guidance to help organizations establish a strong methodology for regularly testing security controls and processes to protect cardholder data.

Organizations can use penetration testing to determine whether unauthorized system access or other malicious activity is possible. It is also a critical tool for verifying that segmentation is appropriately in place to isolate the cardholder data environment from other networks and to reduce PCI DSS scope. Oftentimes, networks are considered out of scope due to poor segmentation methods.

The new guidance outlines best practices that include:

• understanding of penetration testing components — understanding of the different components that comprise a penetration test;
• determining qualifications of a penetration tester — whether internal or external — through past experience and certifications;
• developing penetration testing methodologies, including the three primary parts of a test — pre-engagement, engagement, and post-engagement; and
• reporting guidelines for developing a comprehensive penetration test report.

The document also includes three case studies that illustrate concepts presented within the document, as well as a quick-reference guide to assist in navigating the penetration testing requirements.

A PDF of the penetration testing guidance document is available for download at the PCI SSC website.