Hackers1 Reading Time: 2 minutes

Penetration vs Vulnerability TestingEvery time you turn around, it seems there is another high profile data breach in the news that involves the compromise of cardholder data. The Target data breach alone may have compromised the data of more than half of all adult Americans. It has never been more important to focus on being compliant with Payment Card Industry Data Security Data Security Standards (PCI DSS). If a retailer is not compliant, they may face fines and even the suspension of their ability to accept credit and debit cards. For many businesses, a suspension of accepting cards would cripple sales operations or shut down sales down entirely.

There is often considerable confusion understanding the differences between required Vulnerability testing and required Penetration testing. This confusion is understandable because the goals of the two types of testing are similar. They both identify weaknesses in your network security and can be conducted by 3rd parties that provide a variety of services.

However, Vulnerability testing simply identifies weaknesses that a hacker might be able to exploit. Penetration testing finds weaknesses by having a “white hat” hacker actually exploit them. While Vulnerability testing can be fully automated based on standard methodologies, Penetration testing requires considerable customization for the target and is therefore more expensive.

If you are considering web site scanning services that are fully automated, such as Hackerguardian PCI Compliance and Webinspector, these come under the category of Vulnerability scanning. If you are in need Penetration testing, you need to contact specialists such Comodo Dragon Labs.

Penetration vs Vulnerability Testing

The following is a side by side comparison of Vulnerability and Penetration testing.

ItemVulnerability TestingPenetration Testing
PCI DSS Requirements11.211.3
GoalIdentify weaknesses on your network that could be exploited by attackers internal and external.Determine if unauthorized external access to key systems and files can be achieved.
Required ResolutionRescan as needed, until all “high-risk” vulnerabilities are fixed.Retest as needed until no vulnerable access points are found.
Who performs?For internal scans: Qualified internal resource or a qualified third party.For external scans: An Approved Scanning Vendor, approved by PCI SSC)Qualified internal resource or a qualified third party.
AutomationCan be fully automated because they are based on standard methodologiesCannot be fully automated because they require customization for target environment and requirements.
Documentation RequirementsDocumented Scope.Document Risk   Ranking processResults should be retained
ScopeFocus is on the segmentation controls outside of the Cardholder Data Environment (CDE), both from outside the entity’s network and from inside to confirm that they are not able to get through the segmentation controls to access the CDE.Cardholder data environment and, unless sufficiently isolated, all systems and networks connected to it.
FrequencyQuarterly and after any significant change in the networkRun internal and external tests annually and after significant infrastructure and application upgrades
ComponentsServers, routers, switches, workstations, databases, virtual machines or web applicationsSocial engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections.
MethodologyMust conform to standard practicesMust be customized for the targets systems and environment