A penetration test is a type of cyber security assessment designed to identify, exploit and help address vulnerabilities.
PCI-DSS penetration testing is designed to include assessment of network infrastructure and applications from both outside and inside an organisation’s network environment and includes Segmentation testing.
PCI DSS (Payment Card Industry Data Security Standard) Requirements 11.4.1 and 11.4.2 state that internal and external penetration testing must be performed at least annually and after any significant changes – for example, infrastructure or application upgrades or modifications, or after installing new system components. Requirement 11.4.5 requires penetration testing of network segmentation controls.
Conducting penetration tests helps provide a crucial end-of-state check and can be used in the early stages of developing new processing systems to identify potential risks to cardholder data.
Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report shows that security testing retains its traditional place at the bottom of the priority list, with only 71.9% of organisations achieving full compliance.
Payment card data is a prized commodity for cyber criminals and is usually the main target in attacks against commercial environments.