Bayt.com

Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

Vulnerability vs PEN testing. Which one is required for PCI compliance? My understanding is only PCI vulnerability scan is required. Comments?

Vulnerability Scanning Penetration Testing Security Compliance Testing PCI DSS
user-image
Question added by Zia Meer , IT Director , Exceed Solutions
Date Posted: 2017/05/25
Upvote (0) Views (12) Followers (4) Answers (4) Report Question
Write an Answer
Register now or log in to answer.
Malik Muhammad
by Malik Muhammad , Information Security Officer , Golden Chip Company

Both Are required, VA quarterly, and PT yearly....

ahmed reda
by ahmed reda , Information Security Engineer , Security Meter

The Both are required. quarterly vulnerability scanning and yearly PEN testing

Mohamed Mamdouh

you actually need both for PCI DSS compliance but in a different way...

for PEN testing you need one internal and one external test during the year and one after any major change affecting the environment (if any)

as for vulnerability scanning (both internal & external) you need to have a clean scan for each quarter of your annual PCI DSS assessment

Deleted user
by Deleted user

According to PCI DSS 3.0 you need to perform penetration testing once a year as minimum and on every major change in the enviroment. This also makes sense as vulnerability scanning will not let you know about web apps vulnerabilities that needs manual testing. Also please bear in mind that scanners like Nessus do have modules to search for card numbers in your disk space for example, but in most cases you would like to use scripts to prove that you don't store them.

Write Your Answer
More Questions Like This