Announcement

Collapse
No announcement yet.

PCI pentest requirement 11.3.x - client tells YOU the methodology?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI pentest requirement 11.3.x - client tells YOU the methodology?

    This was interesting to me - I was not aware that when it comes to PCI pentesting, the clients should really tell us (the assessors) the methodology for how to perform a pentest in their environment. I've never been offered that - have any of you?

    For some background, here's the 11.3.x requirements:

    ​​

    And if you check out this video from Kirkpatrick Price it says that basically the requirement makes the client have a pentest, and that it should:
    • Identify "real world" weaknesses
    • Follow a documented methodology - and if you outsource it to a consultant, you (the client) should say "Ok 7MS, when you're doing our pentest, this is what we expect, and this is what we consider a successful test."
    • And then, only after getting that information, should we as consultants create the SOW.

    In my experience, the client says to the assessor, "Well hey, I just use Company X's methodology." Sounds like that's backwards thinking?
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

  • #2
    FYI I talk specifically about this issue in episode #410 of the podcast (https://7ms.us/7ms-410-pci-professio...n-pcip-part-2/). I got some more clarity on this issue from a friend of mine who's a PCIP, and I share his insight on the episode as well.
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

    Comment


    • #3
      what do you use to test network segmentation between a PCI network and another connected network?

      Comment


      • #4
        PEBCAK nmap has served me just fine, and I've also really liked the egresscheck-framework (https://github.com/stufus/egresscheck-framework). I've got a short write-up of my command syntax here: https://bpatty.rocks/command_line/linux/network/.
        Brian Johnson
        7 Minute Security
        Podcaster | Security Consultant

        Comment

        Working...
        X