Penetration Testing for Credit Card 'Terminal' Computer

[Spapro]

Hi,

We are a small single office business to business trader and are just coming up to our annual PCI compliance and need to understand penetration testing as follows:

We have a single workstation PC on a segmented area of our network (not accessible from the rest of the network). On that PC we use Sagepay terminal to enter MOTO not present card transactions.

Do we need to engage someone to complete a penetration test to check the durability of our segmentation and confirm its secure enough ? as PCI compliance is asking me to confirm this has been done.

If so, what do others do on this and is there a quick, cheap service I can employ to run the penetration test ? What do others use ?

 

[EmC007]

My understanding is that the you can select a supplier who will carry this out. This is normally the best way so that you can demonstrate that the person that carried out the test is trained and certified. I do know a company that does that kind of thing if you wanted an introduction.

 

[Nico Albrecht]

Not sure why you make your life complicated. Run an outside port scan on that PC and record the results. Job done. Also your explanation for segmentation doesn't make sense either. If the PC is connected and has access to the Internet the internal segmentation is worthless.

 

[Spapro]

Spoken with Safer Payments who confirmed we don't need a scan.

 

[ukbf0001]

Glad you sorted it - from my recollection the PCI DSS 'people' provide the tools to do the scans (well they did for me anyway)

 

[stugster]

I'd also, just to be on the safe side, get it in writing from Safer Payments that you don't need a scan. Never a bad thing to have the paper trail!