A penetration test is simply an authorized cyber attack performed by a “white hat” entity whose purpose is to uncover any and all weaknesses in a company’s network. The procedure is fairly wide-ranging in scope, including both application-layer and network-layer testing. The entity responsible must carry out both external probes (mimicking a hacker in a remote location) and internal probes (mimicking personnel with legitimate access privileges). Tests must be conducted at least once per year and whenever significant modifications have been made to the payment processing environment.
Pen tests need not be performed by a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV). Testing may be done by a company’s internal personnel, but to avoid conflicts of interest, the individuals assigned this task must be independent from the managerial team responsible for the environment. Furthermore, it is recommended at the conclusion of the process that the participants assemble a formal report detailing the findings of the test; this step is not strictly required, but it is a useful tool that, among other benefits, helps organizations keep track of their pen test schedule.