Society of Payment Security Professionals Forum  

Go Back   Society of Payment Security Professionals Forum > Discussion Groups > PCI DSS Q&A
Reload this Page Application-Layer Penetration Test and PA-DSS
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
Page 2 of 2 < 1 2
 
Thread Tools Display Modes
  #11  
Old 11-25-2009, 11:33 PM
Justy Justy is offline
Junior Member
  
Join Date: Sep 2009
Posts: 4
Default
Thanks guys, the replies had been very helpful.

jbhall56, I agree with you on what's said but it's hard convincing the customer. Nonetheless, I will explain to them.
Reply With Quote
  #12  
Old 11-26-2009, 01:19 AM
ThomasJackson ThomasJackson is offline
Junior Member
  
Join Date: Oct 2009
Posts: 21
Default
Jeff,

Re Testing quarterly - correct me if I am wrong but I read the std to say External and Internal Vuln Assessment Quarterly (11.2);

External and Internal Pen Testing once per Annum (11.3);

Was it a mistake in your post that all testing is reqd quarterly.

thanks
tj

Quote:
Originally Posted by jbhall56 View Post
Correct. You need to implement the application per the vendor's implementation guide.

Caveat - some vendor's implementation guides are not necessarily clear as to those steps that are required to maintain PABP/PA-DSS compliance. For that matter, they may not even have steps identified for maintaining compliance or even provide such instructions. I'm not sure how they got away with this since it has always been a requirement, but some have. So, just because you have implemented the application per the vendor's instructions, it may not necessarily be compliant.

Once an application is implemented, it needs to be vulnerability and penetration tested PABP/PA-DSS compliance or not. And that testing needs to be conducted at least quarterly, regardless of whether or not the application is external facing or only internal facing.

Vulnerability and penetration testing when the application is not browser-based may seem a waste of time, but it is still required. The reason is that the server the application executes on may have vulnerabilities that could be leveraged to gain access to the application or the application's data stream.

If the application is storing cardholder data, the encryption keys need to be changed annually or if you believe the keys have been compromised.
Jeff,
Reply With Quote
  #13  
Old 11-26-2009, 05:59 AM
jbhall56's Avatar
jbhall56 jbhall56 is offline
Senior Member
  
Join Date: Feb 2007
Location: Minneapolis, MN
Posts: 1,277
Default
Sorry for the confusion. The sentence ran together implying quarterly for everything..

At a minimum, you need to conduct external and internal vulnerability tests quarterly. If you make any changes, you then need to conduct the vulnerability testing again.

Penetration testing is the same except for the timing. Annual external and internal penetration tests need to be conducted. If you make any changes, the penetration testing needs to be performed again.

Hope that clears things up.
__________________
Jeff Hall, Director, Risk Advisory Services
RSM McGladrey Inc
801 Nicollet Mall, 11th Floor, West Tower
Minneapolis, MN 55402-2526
612 376 9280 - office
612 395 7280 - facsimile
www.mcgladrey.com

The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
Reply With Quote
Reply
Page 2 of 2 < 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 09:11 AM.

Contact Us - Society of Payment Security Professionals Forum - Archive - Top

Copyright (c) The Aegenis Group, Inc.