PCI Penetration Testing Vs PCI Scanning

Is penetration testing the same thing as a PCI scan?

The short answer is “no”. But imagine this scenario. Your big new prospect says that they want to see the results of your latest penetration test. You think, “No problem! I’ve got this covered,” and you send over your latest quarterly PCI scan results figuring that you’re all set. After all, one of your colleagues even called your latest PCI scan a “penetration scan”. Unfortunately, the prospect tells you, “No way… This isn’t going to cut it.”

To be clear, unless you are dealing with a very uninformed prospect or an extremely lax customer, quarterly external PCI scans will be unacceptable as evidence of penetration testing. Each type of test is a separate PCI requirement and involves different methodologies and deliverables.

So, what do they have in common?

Penetration testing (or pen-testing) and PCI scanning both involve looking for vulnerabilities. In fact, many PCI penetration tests start with a PCI scan to look for “low hanging fruit” and gather information about the target of the full pen-test. However, that’s where the broad similarities end.

At this time, a comprehensive penetration test cannot be entirely performed by automated scanners. Scanners are useful, but a real human needs to be involved. In a penetration test, a human will endeavor to take any discovered vulnerabilities and demonstrate exploitation. A human can look at a target and think, “what would a hacker do here?” That approach may involve gathering data from the Internet, like employee names to use in login attacks. The pen-tester will likely scour his resources for techniques to demonstrate proof-of-concept attacks for the final report. An advanced human approach could even involve crafting custom exploits instead of relying on published hacks.

In the end, a penetration test will take considerably more time than a PCI scan, perhaps even weeks, and will involve significantly more human effort. With this in mind, don’t be surprised that pen-tests are costlier than PCI scans. However, penetration testing is a highly useful technique to see what a real-world bad guy could accomplish against your environment. As a PCI requirement for many merchants, it makes sense to see ask our experts how we can perform your PCI penetration test at a lower cost than the other major vendors.