Clarity for penetration testing: new guidelines strengthen PCI standards
WHITE PAPER |
Penetration testing has been a challenge in the past for organizations seeking and requiring Payment Card Industry (PCI) compliance. The process is necessary to achieve compliance, but previous guidelines were inconsistent, leading to widespread confusion and organizations not receiving true penetration testing from vendors. However, the PCI Security Standards Council brought clarity and enhanced security to penetration testing with the recently released “Information Supplement: Penetration Testing Guidance."
A penetration test is complex, requiring technical personnel to perform the same actions as a skilled attacker. Unfortunately, the term was never properly defined, and organizations interpreted testing requirements in several ways. In the end, many organizations chose the easiest route to satisfy the letter, and not the spirit, of the requirement. Due to the vague guidelines, Qualified Security Assessors were required to accept insufficient testing, but those processes often left organizations open to vulnerabilities.
After companies began experiencing attacks through exposures that should have been caught through a true penetration test, the PCI decided to act and develop clearer, more comprehensive guidelines. The information supplement is clearly a step in the right direction, providing clarity and consistency and the intended level of protection from penetration testing. However, organizations must understand the new guidelines to ensure vendors adhere to updated requirements, protecting cardholder data and avoiding investments in inadequate testing.