PCI compliance has the basic settings for computer security but it will not ensure your corporation will be secure.
For that to happen you must have personnel that implement security policies correctly, and it must be ingrained in all employees, as the weakest link is in our employee actions day after day. It is difficult to make no mistakes day after day.
So we use technology to help us implement computer security.
We can use IDS, an Intrusion Detection System or an Intrusion Prevention System to set up a network architecture plus anti-virus software on the desktop to set up a layered defense of the Networked computers.
This section of the PCI DSS standard section 11.3 is the pentesting requirement for PCI compliance.
Why is pentesting a requirement? because no matter what you think you have it is always good for someone to try and break into the security to give an added level of security. The idea is that any misconfigured systems or other types of mistakes will be caught by the pentesters and then those misconfigurations can be fixed.
best practices section:
Even with all of those items in place a good training program for preventing social engineering of your employees will be important to achieve.
Since that is the #1 reason for a beachhead in the initial attack. And with that initial attack the hacker will slowly try and leverage the initial compromise into more access until finding a system with some worthy information.
As I mentioned in this Post:
The problem we need to teach employees is that any mistake can start the slow creep and eventual avalanche of security problems.
Everyone that clicks on websites and email is a potential risk. So even with PCI compliance the security of your company data or customer data is still at risk.
There is a problem in our security profile standardized thinking:
1. Only taking care of the network and desktops will not completely secure the environment
2. Making all employees aware of social engineering
3. Increasing the IT knowledge of all employees
4. Home vpn connections into the corporate environment can also cause security problems.
5. Any vendor with access to your network could be a security liability.
It goes without saying that any potential problem can bloom into a full-fledged disaster within a few days to weeks.