A Penetration test goes further and deeper than a Vulnerability Assessment. A human tester will safely exploit security weaknesses in order to gain further access to your critical systems, therefore mimicking the actions of a potential attacker.
Review the options that are available to you to remove people, processes and technologies that do not need to be there. This will reduce the scope of your compliance program and mitigate risks.
Ensure any remaining controls are addressed appropriately and are fit for assessment. This will be completed with your Qualified Security Assessor (QSA) who can advise on the most practical way to achieve the controls needed.
Validate that applicable PCI DSS controls are in-place through review of documentation, interviews with key stakeholders and observations of processes, actions, states, system settings and configurations. Complete the reports for the bank and other business partners.
Small changes to payment platforms can have large impacts on PCI DSS compliance. Make a call and run your plans by a Qualified Security Assessor to make sure you aren’t going to have an unpleasant surprise waiting at your next PCI DSS assessment.
Vulnerabilities exist in operating systems, services and applications. They are created through application flaws, improper configurations and end-user behaviours. A penetration test can help to validate adherence to internal policies and the effectiveness of controls across any business infrastructure.
Risk to cardholder data is minimised through a programme of scope reduction by outsourcing responsibility for cardholder data functions to PCI DSS validated third party service providers. Remaining systems which impact the security of cardholder data can then be isolated and controlled which massively reduces the business risk to cardholder data and the ongoing cost of maintaining a PCI DSS compliance programme.
