PCI DSS stands for Payment Card Industry Data Security Standard. This standard describes penetration tests as attempts to find ways of exploiting vulnerabilities to the security of systems. This is vital to the safeguarding of personal financial data.
So, what do penetration tests involve? Well… testing is done on infrastructure and applications. Testing is also done on the processes and controls that work with networks and applications. It’s important to have penetration tests performed correctly. Otherwise, you’ll be sacrificing the financial security of individuals involved with your business.
You’ll need to find a qualified individual or team to carry out these tests. We’ll be going over what to look for when finding testers who will perform the tests correctly.
You’ll need to find a qualified internal resource or a qualified external third party to perform penetration tests correctly. Below are some things to consider when looking for a tester.
• How experienced is the tester and the organization that he/she works for? You’ll need to look for relevant industry-specific experience.
• How familiar is the tester with the systems/technologies that your company implements? For example, let’s say your company uses NoSQL databases. Does this tester understand how to perform tests on the vulnerability of these types of databases?
• Try to find some references. Seek out a company who has had services performed by this tester. What do the references say? Take notes of how well the tester performed his previous jobs. Ask around to learn as much as you can about your tester.
• Check the test methodology of your penetration tester. You should know how the tester is going to perform his/her tests before signing a contract. No stone should be left unturned.
• Check the certifications of the tester. This will help you make a more confident decision whenever choosing who is the right tester for your company.
• Meet the tester in-person. Have him/her come in for an interview with your company’s Qualified Security Assessor. This should give you a solid idea of what the tester is about.
• Review some actual penetration tests that have been performed by the tester. If the tester is unwilling to give previous documentation, then this is a warning sign. See if the scope of the tester’s previous workloads matches what your company is looking for.
Consider A Third-Party Tester
It’s possible that your company could do just fine with an internal resource performing the penetration tests. However, we recommend going to a third party for your testing.
Using an internal resource could lead to penetration tests that aren’t quite up-to-par with the industry standards. This is because your internal resource probably has other duties aside from penetration testing. It’s best to find a third-party who specializes solely in penetration testing.
And what if your company actually has a full-time penetration tester? In this case, using that internal resource would be just fine. But if your internal tester only performs these tests part time? You should find a third-party organization specializing in penetration testing.