As the approaching deadline for PCI Data Security Standard (DSS) 3.0 compliance forces Australian companies to implement methods of pen-testing the systems they use to handle credit card data regularly, Australian providers of penetration-testing services are likely to see increased demand next year. The PCI Security Standards Council tightened requirements to “address requests for more details for penetration tests, and for more stringent scoping verification” in an auditable way.
“The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities,” the council said in a statement. “At the same time, the changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform.”
The new standards require pen-testing work every time an internal software upgrade introduces significant changes in their data infrastructure. “I always ask clients whether any change could potentially impact on the security of the application or the data that’s behind the application,” said chief operating officer of consulting firm Pure Hacking, David Muscat. “If you’re going to upgrade software or make rule or policy changes, or anything of that nature, that would imply a potential security impact. We’re finding clients tend to err on the side of caution more than anything else, taking a good approach and doing it on a just-in-case sort of basis.”
Muscat expects more clarity around the extent and type of pen testing. “This means the people to whom PCI DSS applies, can’t just get someone internal to do a pen test because they were semi-qualified. They need to have something a bit more elaborate in place, and have a methodology through which the pen testing is conducted,” he clarified. “I wouldn’t say that there’s a set formal standard for pen-testing, but as far as PCI DSS is concerned, the methodology should be addressing all the current threats – and be adaptable to new threats and techniques as they emerge as well.”
Ambersail (http://www.ambersail.uk.com/pen-testing.php) is an experienced Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). Operating in many parts of the world we work with banks, retailers, software vendors, manufacturers and government bodies.
Distributed by Iterate LLC
Company Name: AmberSail.uk.com
Contact Person: Benjamin Wrights
City: San Francisco
Country: United States