According to the PCI Standards the goals of penetration testing are:
1.To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamentalsecurity of the system, files, logs and/or cardholder data.
2.To confirm that the applicable controls required by PCI DSS—such as scope, vulnerability management,methodology, and segmentation—are in place. There are three types of penetration tests:
black-box, white-box, and grey-box.
- In a black-box assessment, the client provides no information prior to the start of testing.
- In a white-box assessment, the entity may provide the penetration tester with full and complete details of the network and applications.
- For grey-box assessments, the entity may provide partial details of the target systems.
In line with PCI DSS our penetration tests are typically performed as either white-box or grey-box assessments. These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a pure black-box assessment. Performing a black-box assessment, when the entity provides no details of the target systems prior to the start of the test, may require more time, money, and resources for the deliverables to meet the requirements of PCI DSS.
How does a penetration test differ from a vulnerability scan?
The differences between penetration testing and vulnerability scanning, as required by PCI DSS, can be summarized as follo ws: