Penetration Tests and Vulnerability Scans: Know the important differences.

Penetration testing (also called “pen testing”) and vulnerability scanning are both required by the Payment Card Industry Data Security Standard (PCI DSS), but there is often confusion about the differences between the two services. This document offers clarification on how to differentiate between penetration tests and vulnerability scans.

Vulnerability scans look for known vulnerabilities in your systems and report potential exposures. Penetration tests are intended to exploit weaknesses in the architecture of your IT network and determine the degree to which a malicious attacker can gain unauthorized access to your assets. A vulnerability scan is typically automated, while a penetration test is a manual test performed by a security professional

Here’s a good analogy: A vulnerability scan is like walking up to a door, checking to see if it is unlocked, and stopping there. A penetration test goes a bit further; it not only checks to see if the door is unlocked, but it also opens the door and walks right in.