During the planning phase of a penetration test for a retailer that processes payment cards, it is essential to ensure that the testing activities comply with PCI DSS requirements. Which of the following activities during the penetration test requires special consideration to maintain PCI DSS compliance?
Inserting a hardware keylogger into point-of-sale systems.
Social engineering employees to reveal sensitive information.
Performing wireless network sniffing in areas where cardholder data is transmitted.
Notifying Visa and Mastercard before starting the penetration test.
Performing wireless network sniffing in areas where cardholder data is transmitted requires special consideration. According to PCI DSS Requirement 4.1, strong encryption must be used during the transmission of cardholder data over open, public networks to safeguard transmission security. A penetration tester must ensure that they have permission and the proper segmentation checks in place so that they do not inadvertently capture or decrypt cardholder data, which would violate PCI DSS. Social engineering employees to reveal sensitive information isn't directly restricted by PCI DSS during a pen test; it's an accepted testing technique if agreed upon in the scope. Inserting a hardware keylogger into point-of-sale systems is not against PCI DSS as long as it's permitted and controlled as part of the pen test, and there isn't a requirement for notifying the card schemes in advance of a penetration test.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS and why is it important for businesses that handle payment cards?
Open an interactive chat with Bash
What are the specific requirements under PCI DSS for the transmission of cardholder data?
Open an interactive chat with Bash
What types of penetration testing techniques are acceptable under PCI DSS guidelines?