Announcement

Collapse
No announcement yet.

Penetration Testing of PCI Compliance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Penetration Testing of PCI Compliance

    One of the questions on the PCI compliance checklist involves penetration testing. Is this something I need to worry about or does our hosting with MIVA preclude it's necessity. Here's the blurb from Trustwave, which monitors our compliance:

    "If your business does not have the technical expertise to perform penetration tests (most do not), you should engage a third-party security company. Penetration testing involves having individuals attempt to break in to your business data the same way a criminal might. This testing:
    -should cover security from both the outside (what a hacker would encounter) and the inside (what a corrupt employee would encounter)
    -should be performed yearly and after significant updates to your infrastructure (such as an upgrade to your firewall or payment application)
    -should include networks, operating systems, and payment applications, and
    -should include a process for fixing and retesting any vulnerabilities.

    Thanks!

    Korey
    Korey McWilliams
    Project Director
    _____________________________
    korey usbones dot com
    http://usbones.com

    #2
    Re: Penetration Testing of PCI Compliance

    We will ultimately be offering a PCI certified hosting environment for customers who elect to make use of it; customers in that environment would not need to go through any PCI scanning or be forced to use third parties like Trustwave to satisfy their merchant account providers. That of course probably sounds like an easy route to not dealing with PCI, and it will be, however you might be surprised at some of the restrictions we're going to be forced to impose on customers in that environment, so it will be elective for those who want to make use of it and we'll have a list of differences.

    In any case, for the time being, if you fall under a PCI SAQ level that requires quarterly scans, the safest option would currently be to have a third party perform the scans, ideally one who is a approved scanning vendor: https://www.pcisecuritystandards.org...ng_vendors.php
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Re: Penetration Testing of PCI Compliance

      Thanks David.
      Korey McWilliams
      Project Director
      _____________________________
      korey usbones dot com
      http://usbones.com

      Comment

      Working...
      X