Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

Vulnerability vs PEN testing. Which one is required for PCI compliance? My understanding is only PCI vulnerability scan is required. Comments?

user-image
Question ajoutée par Zia Meer , IT Director , Exceed Solutions
Date de publication: 2017/05/25
Malik Muhammad
par Malik Muhammad , Information Security Officer , Golden Chip Company

Both Are required, VA quarterly, and PT yearly....

ahmed reda
par ahmed reda , Information Security Engineer , Security Meter

The Both are required. quarterly vulnerability scanning and yearly PEN testing

you actually need both for PCI DSS compliance but in a different way...

for PEN testing you need one internal and one external test during the year and one after any major change affecting the environment (if any)

as for vulnerability scanning (both internal & external) you need to have a clean scan for each quarter of your annual PCI DSS assessment

Utilisateur supprimé
par Utilisateur supprimé

According to PCI DSS 3.0 you need to perform penetration testing once a year as minimum and on every major change in the enviroment. This also makes sense as vulnerability scanning will not let you know about web apps vulnerabilities that needs manual testing. Also please bear in mind that scanners like Nessus do have modules to search for card numbers in your disk space for example, but in most cases you would like to use scripts to prove that you don't store them.