Introduction
1.1 Objective
This information supplement provides general guidance and guidelines for penetration testing. The guidance focuses on the following:
- Penetration Testing Components: Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network-layer testing, segmentation checks, and social engineering.
- Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
- Penetration Testing Methodologies: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement.
- Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.
The information in this document is intended as supplemental guidance and does not supersede, replace, or extend PCI DSS requirements. The current version of PCI DSS at the time of publication is v3.2; however, the general principles and practices offered here may also be applicable to other versions of PCI DSS.
