Penetration Testing Guidance - PCI Security Standards
Standard: PCI Data Security Standard (PCI DSS)Version:1.0Date:March 2015Author:Penetration Test Guidance Special Interest GroupPCI Security Standards CouncilInformation Supplement:Penetration Testing Guidance
Information Supplement Penetration Testing Guidance March 2015Table of Contents12345Introduction . 11.1 Objective . 11.2 Intended Audience . 11.3 Terminology . 21.4 Navigating this Document . 2Penetration Testing Components . 32.1 How does a penetration test differ from a vulnerability scan? . 32.2 Scope . 42.2.1 Critical Systems. 52.3 Application-Layer and Network-Layer Testing . 62.3.1 Authentication. 62.3.2 PA-DSS Compliant Applications . 62.3.3 Web Applications . 62.3.4 Separate Testing Environment. 72.4 Segmentation Checks . 72.5 Social Engineering . 72.6 What is considered a “significant change”? . 8Qualifications of a Penetration Tester . 93.1 Certifications . 93.2 Past Experience . 9Methodology. 114.1 Pre-Engagement . 114.1.1 Scoping . 114.1.2 Documentation . 114.1.3 Rules of Engagement . 124.1.4 Third-Party-Hosted / Cloud Environments . 124.1.5 Success Criteria . 134.1.6 Review of Past Threats and Vulnerabilities . 134.1.7 Avoid scan interference on security appliances. . 144.2 Engagement: Penetration Testing . 144.2.1 Application Layer . 154.2.2 Network Layer . 154.2.3 Segmentation . 154.2.4 What to do when cardholder data is encountered . 164.2.5 Post-Exploitation . 164.3 Post-Engagement . 164.3.1 Remediation Best Practices . 164.3.2 Retesting Identified Vulnerabilities . 164.3.3 Cleaning up the Environment . 174.4 Additional Resources . 17Reporting and Documentation . 185.1 Identified Vulnerability Reporting . 185.1.1 Assigning a Severity Score . 185.1.2 Industry Standard References . 195.2 Reporting Guidelines. 195.2.1 Penetration Test Report Outline. 195.2.2 Retesting Considerations and Report Outline . 20The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.ii
Information Supplement Penetration Testing Guidance March 20155.3 Evidence retention . 215.3.1 What is considered evidence? . 215.3.2 Retention . 215.4 Penetration Test Report Evaluation Tool . 226 Case Studies / Scoping Examples . 246.1 E-commerce Penetration Test Case Study. 246.2 Hosting Provider Penetration Test Case Study . 276.3 Retail Merchant Penetration Test Case Study . 32Appendix A: Quick-Reference Table to Guidance on PCI DSS Penetration Testing Requirements . 37Acknowledgements . 38About the PCI Security Standards Council . 40The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.iii
Information Supplement Penetration Testing Guidance March 20151 Introduction1.1ObjectiveThe objective of this information supplement is to update and replace PCI SSC’s original penetration testinginformation supplement titled “Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3Penetration Testing” published in 2008. This information supplement has additional guidance to what is in PCIDSS and is written as general penetration testing guidelines that are intended to extend into future versions ofPCI DSS.The guidance focuses on the following: Penetration Testing Components: Understanding of the different components that make up apenetration test and how this differs from a vulnerability scan including scope, application and networklayer testing, segmentation checks, and social engineering. Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whetherinternal or external, through their past experience and certifications. Penetration Testing Methodologies: Detailed information related to the three primary parts of apenetration test: pre-engagement, engagement, and post-engagement. Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetrationtest report that includes the necessary information to document the test as well as a checklist that canbe used by the organization or the assessor to verify whether the necessary content is included.The information in this document is intended as supplemental guidance and does not supersede, replace, orextend PCI DSS requirements. While all references made in this document are to PCI DSS version 3.0, thegeneral principles and practices offered here may be applied to any version of PCI DSS.1.2Intended AudienceThis guidance is intended for entities that are required to conduct a penetration test whether they use aninternal or external resource. In addition, this document is intended for companies that specialize in offeringpenetration test services, and for assessors who help scope penetration tests and review final test reports.The guidance is applicable to organizations of all sizes, budgets, and industries.The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.1
Information Supplement Penetration Testing Guidance March 20151.3TerminologyThe following terms are used throughout this document: Penetration tester, tester, or team: The individual(s) conducting the penetration test for the entity.They may be a resource internal or external to the entity. Application-layer testing: Testing that typically includes websites, web applications, thick clients, orother applications. Network-layer testing: Testing that typically includes external/internal testing of networks(LANS/VLANS), between interconnected systems, wireless networks, and social engineering. White-box testing: Testing performed with knowledge of the internal structure/design/implementationof the object being tested. Grey-box testing: Testing performed with partial knowledge of the internalstructure/design/implementation of the object being tested. Black-box testing: Testing performed without prior knowledge of the internalstructure/design/implementation of the object being tested. National Vulnerability Database (NVD): The U.S. government repository of standards basedvulnerability management data. This data enables automation of vulnerability management, securitymeasurement, and compliance (e.g., FISMA). Common Vulnerability Scoring System (CVSS): Provides an open framework for communicating thecharacteristics and impacts of IT vulnerabilities.1.4Navigating this DocumentThis document is organized in such a way to help the reader better understand penetration testing in a holisticsense. It begins by providing background and definitions for topics common to all penetration test efforts(including scoping the test, critical systems to test, application and network-layer test inclusions, etc.). Thedocument then moves on to practical guidance on selecting a penetration tester, methodologies that are usedbefore, during, and after a test, guidelines for reporting and evaluating test results. The document concludeswith case studies that attempt to illustrate the concepts presented in this supplement.Appendix A provides a quick-reference table to specific sec
penetration test services, and for assessors who help scope penetration tests and review final test reports. . Application-layer testing: Testing that typically includes websites, web applications, thick clients, or other applications. . The differences between penetration testing and vulnerability scanning, as required by PCI DSS, still causes
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
PCI Flexmörtel bzw. PCI Flexmörtel-Schnell, PCI Nanolight oder PCI Flexmörtel S1 Flott nach den Re - geln der Technik mit einer 4-mm- oder 6-mm- Zahnung aufkämmen. 3 Innerhalb der klebeoffenen Zeit (bei PCI Flexmörtel und PCI Nanolight ca. 30 Minuten, bei PCI Flexmörtel-Schnell ca. 20 Minuten) die PCI Pecilastic-W-
as part of a validated P2PE solution listed by PCI SSC. This SAQ is for use with PCI DSS v2.0. February 2014 3.0 To align content with PCI DSS v3.0 requirements and testing procedures and incorporate additional response options. April 2015 3.1 Updated to align with PCI DSS v3.1. For details of PCI DSS changes,
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This document is intended for use with version 3.0 of the PCI Data Security Standard. July 2014 PCI DSS 3.0, Revision 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content April 2015 PCI DSS 3.1, Revision1.0 Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS - Summary of
A quality penetration test provider will understand how a penetration test will help you meet your compliance requirements. A simple test of the vendor can quickly help you ferret out companies who do not understand your specific compliance needs. PCI DSS If you are required by the PCI DSS to perform penetration testing, ask the penetration test
network-layer penetration test and application-layer penetration tests. There was a short informational supplement released in 2008 by the PCI Council on penetration testing, but its guidance was very general and still left much room for interpreting what a penetration test rea
Level 4 IS Business Analyst Minimum Standards and Grading Criteria This paper defines the minimum requirements for the knowledge, skills and behaviours defined in the standard, which are required for a pass. It also defines the criteria to be used for awarding the grade for merit or distinction. This paper should be read in conjunction with the Standard and Assessment Plan for the Level 4 IS .
