One of the questions on the PCI compliance checklist involves penetration testing. Is this something I need to worry about or does our hosting with MIVA preclude it's necessity. Here's the blurb from Trustwave, which monitors our compliance:
"If your business does not have the technical expertise to perform penetration tests (most do not), you should engage a third-party security company. Penetration testing involves having individuals attempt to break in to your business data the same way a criminal might. This testing:
-should cover security from both the outside (what a hacker would encounter) and the inside (what a corrupt employee would encounter)
-should be performed yearly and after significant updates to your infrastructure (such as an upgrade to your firewall or payment application)
-should include networks, operating systems, and payment applications, and
-should include a process for fixing and retesting any vulnerabilities.
Thanks!
Korey
"If your business does not have the technical expertise to perform penetration tests (most do not), you should engage a third-party security company. Penetration testing involves having individuals attempt to break in to your business data the same way a criminal might. This testing:
-should cover security from both the outside (what a hacker would encounter) and the inside (what a corrupt employee would encounter)
-should be performed yearly and after significant updates to your infrastructure (such as an upgrade to your firewall or payment application)
-should include networks, operating systems, and payment applications, and
-should include a process for fixing and retesting any vulnerabilities.
Thanks!
Korey
Comment