Bayt.com

Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

Vulnerability vs PEN testing. Which one is required for PCI compliance? My understanding is only PCI vulnerability scan is required. Comments?

Vulnerability Scanning Penetration Testing Security Compliance Testing PCI DSS
user-image
Question ajoutée par Zia Meer , IT Director , Exceed Solutions
Date de publication: 2017/05/25
Apprécier (0) Vues (12) Suiveurs (4) Réponses (4) Report Question
Ajoutez Une Réponse
Inscrivez-vous ou connectez-vous pour répondre.
Malik Muhammad
par Malik Muhammad , Information Security Officer , Golden Chip Company

Both Are required, VA quarterly, and PT yearly....

ahmed reda
par ahmed reda , Information Security Engineer , Security Meter

The Both are required. quarterly vulnerability scanning and yearly PEN testing

Mohamed Mamdouh

you actually need both for PCI DSS compliance but in a different way...

for PEN testing you need one internal and one external test during the year and one after any major change affecting the environment (if any)

as for vulnerability scanning (both internal & external) you need to have a clean scan for each quarter of your annual PCI DSS assessment

Utilisateur supprimé
par Utilisateur supprimé

According to PCI DSS 3.0 you need to perform penetration testing once a year as minimum and on every major change in the enviroment. This also makes sense as vulnerability scanning will not let you know about web apps vulnerabilities that needs manual testing. Also please bear in mind that scanners like Nessus do have modules to search for card numbers in your disk space for example, but in most cases you would like to use scripts to prove that you don't store them.

Ecrivez Votre Réponse
More Questions Like This

Avez-vous besoin d'aide pour créer un CV ayant les mots-clés recherchés par les employeurs?

Obtenir de l'aide