PCI compliance: vulnerability vs penetration testing

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Hi All,


I have a customer that is trying to jump through Trustwave's
questionnaire on PCI compliance (credit cards).  This is
their explanation of one of the required tests:  they
want both vulnerability vs penetration testing.  Now I don't
see the difference, but they do:

        Vulnerability scanning uses automated tools to attempt
        to discover vulnerabilities in the cardholder data
        environment.  Penetration testing goes further by
        having personnel *manually* attempt to exploit
        vulnerabilities and gaps in security the same way a
        criminal would.  Without penetration testing, you may
        know where vulnerabilities may be, but you won't know
        how deep an attacker can get or what he may be able to

"Manually"?  How is the world does one do that?  Try to log in
with telnet?  Call the local federal prison and ask to borrow
a hacker for the day?  What can I do manually that the
"automated tools" can't?

Now I an see trying to seal the hole and retesting, but
that is not what they are asking for.  They want me
to sit down and try to breaking into the thing!



Site Timeline