Comments on: PCI DSS 11.3: Penetration Testing Requirements Clarified http://www.pcidssguru.com/penetration-testing/pci-dss-113-penetration-testing-requirements-clarified/ Practical Implementation Guidance on the Payment Card Industry Data Security Standard Tue, 31 Jan 2012 16:19:53 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Joseph Pierini http://www.pcidssguru.com/penetration-testing/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-9700 Joseph Pierini Fri, 18 Nov 2011 19:06:57 +0000 http://www.pcidssguru.com/?p=4#comment-9700 Your definition of the scope is incorrect. The scope of penetration testing is the Cardholder Data Environment (CDE) and all systems and networks connected to it. The PCI Security Standards Council defines the CDE as “The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.” As recommended by the PCI Security Standards Council’s Information Supplement: Requirement 11.3 Penetration Testing dated April 2008, testing should include locations of cardholder data, key applications that store, process, or transmit cardholder data, key network connections, key access points and other targets appropriate for the complexity and size of the organization. Testing should not be performed inside the CDE. Your definition of the scope is incorrect.

The scope of penetration testing is the Cardholder Data Environment (CDE) and all systems and networks connected to it. The PCI Security Standards Council defines the CDE as “The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.”

As recommended by the PCI Security Standards Council’s Information Supplement: Requirement 11.3 Penetration Testing dated April 2008, testing should include locations of cardholder data, key applications that store, process, or transmit cardholder data, key network connections, key access points and other targets appropriate for the complexity and size of the organization.

Testing should not be performed inside the CDE.

]]> By: Information Secuity http://www.pcidssguru.com/penetration-testing/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-8904 Information Secuity Fri, 04 Nov 2011 06:33:02 +0000 http://www.pcidssguru.com/?p=4#comment-8904 India has called for global coordination to ensure that internet continues to thrive without the fear of its misuse at the London Internatinal Cyber Conference that give the nature of the task and the fact that IT networks can be attacked from anywhere in the world. India has called for global coordination to ensure that internet continues to thrive without the fear of its misuse at the London Internatinal Cyber Conference that give the nature of the task and the fact that IT networks can be attacked from anywhere in the world.

]]> By: Mohamed Farid http://www.pcidssguru.com/penetration-testing/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-328 Mohamed Farid Mon, 18 May 2009 17:45:57 +0000 http://www.pcidssguru.com/?p=4#comment-328 Regarding the external pen test - the pen tester will evaluate the Scope from the Internet or through any Public Connection ... What about the Internal Pen Testing - Will it be evaluated from the DMZ towards the Scope ( Live Production ) ? or internally from the Scope Directly ? My Concern is Evaluating it from inside is ignoring the Firewalls and the Access-lists around the scope - and also it will give a lot of false positives which are already protected using the boundary security products. Regarding the external pen test – the pen tester will evaluate the Scope from the Internet or through any Public Connection …

What about the Internal Pen Testing – Will it be evaluated from the DMZ towards the Scope ( Live Production ) ? or internally from the Scope Directly ?

My Concern is Evaluating it from inside is ignoring the Firewalls and the Access-lists around the scope – and also it will give a lot of false positives which are already protected using the boundary security products.

]]> By: Penetration Testing http://www.pcidssguru.com/penetration-testing/pci-dss-113-penetration-testing-requirements-clarified/comment-page-1/#comment-13 Penetration Testing Wed, 06 Aug 2008 19:26:35 +0000 http://www.pcidssguru.com/?p=4#comment-13 What are your thoughts on situations where Operational Security and other areas of Information Security have separate reporting lines - i.e. they may have separate line management but report into the same CSO or head of security? Would it still be feasible to have non-ops infosec conducting penetration testing in your opinion? What are your thoughts on situations where Operational Security and other areas of Information Security have separate reporting lines – i.e. they may have separate line management but report into the same CSO or head of security? Would it still be feasible to have non-ops infosec conducting penetration testing in your opinion?

]]>