Debate on the New Guidance from PCI Council – does it go far enough?
The PCI Security Standards Council has released brand new guidance to advise businesses how they should use penetration testing to identify network vulnerabilities that could be exploited for malicious activity.
However, a recent article has been published online by BankInfoSecurity.com (BIS) that appeared to flag up a difference of opinion as to the effectiveness of the new guidance.
Whilst one payments security expert said the guidance could help ensure ongoing compliance with the Payment Card Industry Data Security Standard and improve card security, another payments expert was quoted as saying that the guidance comes up short.
“Unfortunately, the PCI Council does not go far enough to require that penetration testing be a manual process, rather than allowing automated penetration-testing tools to be used,” says the payments expert, who asked not to be named.
With hundreds of thousands of potential vulnerabilities, the idea of a 100% manual penetration test is completely ludicrous. Perhaps that’s why the contributor to the BIS article kept anonymous. Instead, a blended approach is a must, combining automated tools and the manual common sense to drive them.
On the other hand, a 100% automated penetration test is a bad idea too – there’s no program out there that can review application, network and physical security altogether. Most automated tools need to be told by a human what to look for, and are pretty precise once they get going.
The risk with all penetration tests is that they can miss things out, and we’ve seen plenty of deficient reports in the 10 plus years that we have been reviewing them.
Customers come to us with very specific requirements, that are put into place by standards such as PCI DSS. If we turn around and tell them how to do a penetration test properly, they walk away and go elsewhere, as there’s always a cheaper, less experienced provider that will give them the “passing” result they need.
If anything, at least get your estate properly scoped out by a professional, before embarking down the costly route of the false negative pen test providers!
For more advice on the new PCI guidance, or to discuss your own PCI DSS project, please email Tim on firstname.lastname@example.org