ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.

متابعة

Vulnerability vs PEN testing. Which one is required for PCI compliance? My understanding is only PCI vulnerability scan is required. Comments?

user-image
تم إضافة السؤال من قبل Zia Meer , IT Director , Exceed Solutions
تاريخ النشر: 2017/05/25
Malik Muhammad
من قبل Malik Muhammad , Information Security Officer , Golden Chip Company

Both Are required, VA quarterly, and PT yearly....

ahmed reda
من قبل ahmed reda , Information Security Engineer , Security Meter

The Both are required. quarterly vulnerability scanning and yearly PEN testing

Mohamed Mamdouh
من قبل Mohamed Mamdouh

you actually need both for PCI DSS compliance but in a different way...

for PEN testing you need one internal and one external test during the year and one after any major change affecting the environment (if any)

as for vulnerability scanning (both internal & external) you need to have a clean scan for each quarter of your annual PCI DSS assessment

مستخدم محذوف‎
من قبل مستخدم محذوف‎

According to PCI DSS 3.0 you need to perform penetration testing once a year as minimum and on every major change in the enviroment. This also makes sense as vulnerability scanning will not let you know about web apps vulnerabilities that needs manual testing. Also please bear in mind that scanners like Nessus do have modules to search for card numbers in your disk space for example, but in most cases you would like to use scripts to prove that you don't store them.