PCI PENETRATION TESTING SUMMARY

Clear Skies' Penetration Testing (Pen Test) methodology is fully compliant with the PCI standards and will help our customers meet their assessment objectives as described in 11.3 of the PCI Data Security Standards (DSS).

PCI Penetration Test Requirements

  • PCI DSS 11.3 requires a pen test regardless of company size/level
  • Annual pen testing is in addition to the quarterly ASV scans
  • Pen tests must be conducted annually or after any significant change to the network or applications
  • Pen test must include both internal and external testing, and must utilize manual testing techniques
  • Testing methodology should follow industry standards

Clear Skies Service Summary

  • Based on industry accepted standards to include NIST and OSSM
  • Scope includes both internal and external testing as required by PCI
  • Testing incorporates full manual testing techniques and does not rely on automated tools
  • Includes full exploitation testing
  • Incorporates network segmentation testing to validate scope reduction controls (new effective June 2015)
  • Authenticated Web application testing that meets or exceeds the PCI DSS 6.5 requirements to include injection testing and cross site scripting tests
  • Documentation provides full full risk analysis, remediation recommendations, and estimated timeframes
  • Retesting is included at no additional charge