PCI DSS Security Testing
The PCI DSS includes a number of requirements for scanning and penetration testing. In fact there are many, and this can be confusing. Now, with V3 of the standard, PCI DSS security testing requirements are clarified further. We’ve had a close look, and here are our key messages for you.
- Testing needs to be part of your “business as usual” activity. Most tests are required when something changes within your environment – this happens more frequently than many organisations realise.
- A penetration testing methodology is required. Not all penetration tests are the same – the standard now describes in detail what a penetration should achieve within your PCI DSS environment.
- Vulnerability scanning and ASV scans are not the same. There are distinct requirements addressing internal and external scans, as well as external ASV scans – it’s important to know the difference.
- Security issues need to be fixed. High risk or exploitable issues need to be fixed – it’s not enough simply to perform the test.
Find out more about PCI DSS Security Testing
Download our handy summary of PCI DSS v3 scanning and penetration testing requirements. It summarises all the different requirements that expect some kind of security related assessment – including wireless testing, penetration testing and vulnerability scanning.