PCI Compliance: Implementing Effective PCI Data Security Standards

Chapter 8: Vulnerability Management

Introduction

Before we dive deep into Payment Card Industry (PCI) requirements related to vulnerability management, and find out what technical and non-technical safeguards are prescribed there, we need to address one underlying and confusing issue of defining some of the terms that the PCI Data Security Standard (DSS) documentation relies upon. These are:

  • Vulnerability assessment

  • Penetration testing

  • Testing of controls, limitations, and restrictions

  • Preventing vulnerabilities via secure coding practices

Defining vulnerability assessment is a little tricky, since the term has evolved over the years. For instance, Wikipedia (http://en.wikipedia.org/wiki/Vulnerability_assessment) defines it as the process of identifying and quantifying vulnerabilities in a system, which is a very broad definition. In the realm of information security, vulnerability assessment is usually understood to be a vulnerability scan of the network with a scanner, implemented as software, dedicated hardware, or a scanning service. Sometimes using the term network vulnerability assessment adds more clarity to this. Terms network vulnerability scanning or network vulnerability testing are usually understood to mean the same.

Penetration testing is usually understood to mean an attempt to break into the network by a dedicated team, which can use the scanning tools mentioned above, and also other non-technical means such as dumpster diving (i.e., looking for confidential information in the trash), social engineering (i.e., attempting to subvert authorized Information Technology (IT) users to give out their access credential and other confidential information). Sometimes, penetration testers might rely on other techniques and methods, such as custom written attack tools.

Testing...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Network Security Services
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.