The goal of pentest by PCI DSS?

[Taras <taras () securityaudit ru>]

Hello, all!

There is requirement 11.3 in PCI DSS [0]: "...
Perform external and internal penetration testing at least once a year
and after any significant infrastructure or application upgrade or
modification (such as an operating system upgrade, a sub-
network added to the environment, or a web server added to the
environment).
...
"

From "Information Supplement: Payment Card Industry Data Security
Standard (PCI DSS) Requirement 11.3 Penetration Testing" [1]:

"
...
The scope of penetration testing is the cardholder data environment and
all systems and networks connected to it. 
...
The penetration tests should attempt to exploit vulnerabilities and
weaknesses throughout the cardholder data environment, attempting to
penetrate both at the network level and key applications. The
goal of penetration testing is to determine if unauthorized access to
key systems and files can be achieved. 
..
"
Does this mean that the main aim of pentester by PCI DSS is cardholder
data?  Or simply aim is to gain access (exploit vulnerabilities) to as
much systems in CDE as possible? I asked about this because we can gain
access to for example Oracle DB and do not try to search PANs in it. 
Or we can gain access to some users workstation and do not try to search
cardholder data in file system.

One more question. Do you use social engineering in pentests by PCI DSS?

Thanks for answers!

[0]
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
[1]
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

-- 
Taras
----
"Software is like sex: it's better when it's free." - Linus Torvalds

Attachment: signature.asc
Description: This is a digitally signed message part