Reading Time: 2 minutes

Penetration vs Vulnerability TestingEvery time you turn around, it seems there is another high profile data breach in the news that involves the compromise of cardholder data. The Target data breach alone may have compromised the data of more than half of all adult Americans. It has never been more important to focus on being compliant with Payment Card Industry Data Security Data Security Standards (PCI DSS). If a retailer is not compliant, they may face fines and even the suspension of their ability to accept credit and debit cards. For many businesses, a suspension of accepting cards would cripple sales operations or shut down sales down entirely.

There is often considerable confusion understanding the differences between required Vulnerability testing and required Penetration testing. This confusion is understandable because the goals of the two types of testing are similar. They both identify weaknesses in your network security and can be conducted by 3rd parties that provide a variety of services.

However, Vulnerability testing simply identifies weaknesses that a hacker might be able to exploit. Penetration testing finds weaknesses by having a “white hat” hacker actually exploit them. While Vulnerability testing can be fully automated based on standard methodologies, Penetration testing requires considerable customization for the target and is therefore more expensive.

If you are considering web site scanning services that are fully automated, such as Hackerguardian PCI Compliance and Webinspector, these come under the category of Vulnerability scanning. If you are in need Penetration testing, you need to contact specialists such Comodo Dragon Labs.

Penetration vs Vulnerability Testing

The following is a side by side comparison of Vulnerability and Penetration testing.

Item Vulnerability Testing Penetration Testing
PCI DSS Requirements 11.2 11.3
Goal Identify weaknesses on your network that could be exploited by attackers internal and external. Determine if unauthorized external access to key systems and files can be achieved.
Required Resolution Rescan as needed, until all “high-risk” vulnerabilities are fixed. Retest as needed until no vulnerable access points are found.
Who performs? For internal scans: Qualified internal resource or a qualified third party.For external scans: An Approved Scanning Vendor, approved by PCI SSC) Qualified internal resource or a qualified third party.
Automation Can be fully automated because they are based on standard methodologies Cannot be fully automated because they require customization for target environment and requirements.
Documentation Requirements Documented Scope.Document Risk   Ranking process Results should be retained
Scope Focus is on the segmentation controls outside of the Cardholder Data Environment (CDE), both from outside the entity’s network and from inside to confirm that they are not able to get through the segmentation controls to access the CDE. Cardholder data environment and, unless sufficiently isolated, all systems and networks connected to it.
Frequency Quarterly and after any significant change in the network Run internal and external tests annually and after significant infrastructure and application upgrades
Components Servers, routers, switches, workstations, databases, virtual machines or web applications Social engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections.
Methodology Must conform to standard practices Must be customized for the targets systems and environment