Friday, 8 February 2008

PCI requires more then an external scan...

Section 11.3 of the PCI-DSS states:

Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

To do this requires testing on the DMZ and internal segments. This is both ingress and egress tests. The typical scan from an Internet vendor is not adequate and will not make you compliant!

No comments: