The process for scoping internal PCI pen tests

I wanted to lay out the typical process that I go through when meeting with a client who needs a penetration test for PCI compliance.  I think this will be helpful for those of you involved in these types of engagements.

  1. You have a meeting with the client who needs a pen test for PCI
  2. You quickly realize that your client does not know that a clarification was issued that states that pen testing is defined as INTERNAL and EXTERNAL, not just external
  3. When you mention this clarification, they look at you like you've lost your mind
  4. Then they look incredulous
  5. Then they question your sanity
  6. Then they think you are trying to rip them off
  7. Then you produce the clarification document (this is a 11.3 supplement document – have this with you AT ALL TIMES)
  8. Then they look incredulous again
  9. Then they start thinking about how this is going to cost them more money
  10. Then their ears start smoking
  11. Then their eyes start bleeding
  12. Then they rant and rave at PCI and how it is not fair
  13. Then they come full circle and start breathing normally again because they think it can’t be too bad because they have credit card data on only two servers
  14. Then you ask them if they have segmented off their internal credit card environment
  15. They say no (almost always) and you resist the urge to shake your head and laugh
  16. Then you state that they will need to perform an assessment of their entire environment
  17. Then symptoms from numbers 10 and 11 return
  18. Then you finally get the information you need from them and scope the engagement
  19. They get the SOW and start crying
  20. Then they become incredulous… AGAIN
  21. Then they say there is no way they can pay for this
  22. You tell them they would not have to pay this much if they segment off their CC environment
  23. They talk to their QSA, who gives them a different scope
  24. Confusion and cursing ensue
  25. You scope again and you put down in writing that you don't accept responsibility if they don't pass an audit because the scope of the penetration test was not correct
  26. The client gets nervous and goes back to the QSA
  27. The client is informed that their auditor has left the company and they are assigned a new auditor
  28. Their new auditor redefines the scope

100.  Skipping to the end… the client commits suicide…

And the process begins again with the poor bastard who gets promoted.


Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon