One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8446939 |
| Date de publication | 2024-02-05 11:00:00 (vue: 2024-02-05 15:07:30) |
| Titre | PCI DSS et tests de pénétration PCI DSS and penetration testing |
| Texte | PCI DSS PCI DSS (Payment Card Industry Data Security Standard) is a set of security controls created to ensure all companies that accept, process, store or transmit credit card data maintain an audit-ready environment. Version 4.0 was published in March 2022; organizations required to be compliant have until March 31, 2024, when compliance must be complete. The most noteworthy upgrades in PCI DSS version 4.0 to Requirement 11 which are applicable to all organizations are that vulnerability scans must be conducted via authenticated scanning, and that all applicable vulnerabilities must be managed. This eliminates organizations from overlooking vulnerabilities, and selective remediation. The PCI DSS requires penetration testing (pen testing) and vulnerability scanning as part of its requirements for compliance, to keep systems secure and to protect payment cardholder data. Pen testing must take place for any organizations or entities who store, process, or transmit cardholder data in any capacity. Payment card service providers must conduct PCI pen tests twice annually and vulnerability scans four times annually, in addition to performing additional assessments when any significant modifications to systems occur. Specifically, organizations that process cardholder information via web applications could need additional tests & scans whenever significant system modifications take place. PCI pen tests are security assessments that must be conducted at least twice annually and after any significant change to address vulnerabilities across all aspects of the cardholder data environment (CDE), from networks, infrastructure, and applications found inside and outside an organization\'s environment. By contrast, vulnerability scans perform high-level tests that automatically search for vulnerabilities with severe scores; external IP addresses exposed within CDE must also be scanned by an approved scanning vendor at least every three months and after any significant change for potential security threats and reported on accordingly. PCI DSS sets forth specific guidelines and requirements for companies required to run regular PCI pen tests and vulnerability scans in accordance with PCI DSS. System components, including custom software and processes, must be regularly evaluated to maintain cardholder data over time - particularly after changes are introduced into the system. Service providers must conduct PCI pen tests every six months or whenever significant modifications to their systems take place, or whenever any major upgrades or updates take place. Significant changes that would necessitate further pen tests include any addition or change to hardware, software, or networking equipment; upgrading or replacing of current equipment with any changes; storage flow changes which affect cardholder data flow or storage; chang |
| Envoyé | Oui |
| Condensat | 2022; 2024 accept accepted access accordance accordingly achieve across addition additional address addresses affect after all also alter and/or annually any applicable application applications approved are aspects assessment assessment; assessments assets assigned attempts audit authenticated automatically base behind best between both boundary broad can capacity card cardholder cde change changes changes; companies company compiles complete compliance compliant components comprehensive compromise conclusion conduct conducted connect connections considered constitute consulting contain contrast controls could created credit critical crucial current custom cvss cybersecurity data days define defined details different directory discovered discovery don’t dss during effective efforts element eliminates ensure enter entire entities entry environment equipment equipment; evaluated evaluation every exploitable exposed external fall far first flaws flow forth found four four; free from further gathered gathers gets guidelines hardware have help here high highlights identifying include includes including industry information infrastructure inside integral internal introduced involving its keep least level locations logging lurking maintain major managed management march may means methodology mind mitigates mitigating modifications monitoring months most much must necessitate need network networking networks not noted noteworthy now occur offer once only organization organization’s organizations other out outside over overlooking part particularly parts party passing payment pci pen penetration perform performing perimeter place points posture potential previous process processes processing; protect providers ptaas published ready reconnaissance regular regularly relevant remediation repeated replacing report reported reporting required requirement requirements requires results retest retesting risk run scan scanned scanning scans scans must scope scoping score scores scores; search secure security see selective sensitive service services set sets severe severity should significant six software specific specifically specified stage standard start step steps storage storage; store such support sustain system systems take target team test tester testing tests that vulnerability third threat threats three through time times transmit twice types uncover until updates upgrades upgrading using vendor vendors version vulnerabilities vulnerability way weaknesses web well when whenever which who within work works would your zero |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.