PSC Payment and Security Experts
Services Solutions Allinaces Company Resources
   Overview
   Payment
   Security
   Compliance

Penetration Testing

The purpose of penetration testing is to footprint, enumerate and potentially exploit vulnerabilities in web application(s) and network infrastructure using automated tools and manual mechanisms, above and beyond what simple automated scanning tools can achieve.

PCI Application and Network Layer Penetration Testing
Network and application penetration tests are different from vulnerability scans in that penetration tests are more focused. Rather than providing a laundry list of potential vulnerabilities, the PSC Penetration Tests simulate the attacks of determined hacker.

The objectives of these tests are to obtain command and control of the targets systems or extract the sensitive data they are intended to protect. PSC evaluates the protection of Client information technology assets (i.e., data, systems, and processes), with a special emphasis on the effectiveness of logical access and system software controls as they relate to PCI DSS.

PSC tests to determine that:
  • Unauthorized access to cardholder data can not be achieved
  • Unauthorized access to source code can not be achieved
  • Guests cannot obtain unauthorized access to the corporate network
  • No cardholder data exists on any system outside of the cardholder environment

While performing all tests, it is PSC’s goal to go beyond PCI and provide value to the Client’s security initiatives by identifying opportunities to increase due diligence in areas such as brand integrity, physical security, intellectual property and fraud.

It is important to note, that the only procedures required for compliance with PCI 11.3 are the application layer and network layer assessments.

PCI Web Application Security Testing
The goal of Web Application Security Testing is to provide a thorough review of web-based software applications or web services for any security defects that may exist within the software and could lead to a breach or compromise.

Process
The test will examine communications between the client (browser) and the server to first understand how the application was designed.  With this information, PSC will analyze the design for components of the application that will be targeted during the testing. Targets will be tested for their resilience to unexpected or malicious input, boundary cases, and the ability to recover when the application has reached an unexpected state.

In order to provide thorough coverage, PSC will utilize both automated and manual tests that will be customized for the specific application subject to testing.  Internet-facing applications can be tested remotely from PSC’s Security Lab.  Applications that are not available to the general public will be tested onsite by the assessor.

The testing is based on the Open Web Application Security Project (OWASP) and is supplemented by information from various industry sources such as whitepapers and conference presentations.  Our assessors stay abreast of new developments in the web application security field in order to ensure that the tests meet the highest standards.

Follow-Up
Once the results of the testing have been presented to the Client, PSC will be available to offer assistance to your development and security teams in order to find appropriate solutions for any security defects that may have been discovered during the testing.  PSC understands that solutions need to be practical and compatible with the Client’s business needs while still maintaining a high level of security.
PSC will also be available to test the solutions that have been implemented in order to ensure that they effectively remediate any security issues and do not expose the application to any additional risk.

PCI DSS
PCI DSS Requirement 6.6 is intended to address common threats to cardholder data and ensure that web applications are included within the security assessment.

Wireless (Wi-Fi) Vulnerabilities
The objective in this test is to achieve penetration of any wireless access points and technology in use. This includes a search for and evaluation of both rogue and authorized access points.

Carrier and PBX Vulnerabilities
The objective in this test is to scan agreed upon phone number range(s) for potential incoming dial-in or PBX access. (Referred to as War dial testing).

Social Engineering Vulnerabilities
Utilizing social engineering procedures, the objective is to test the human factor components of a specific security condition. These tests require identification of a specific target or target system that could be compromised if an authorized employee knowingly or unknowingly granted access to the intruder.

Please contact us for more information




Proven Solutions For:
Proven Services:
Copyright © 2008-2010 PSC. All Rights Reserved. Privacy Policy | Site Map