PCI DSS Penetration Testing

Organizations involved in the processing of payments have to comply with the requirements of the PCI DSS (Payment Card Industry Data Security Standard) in a bid to secure cardholder data. Despite the numerous prescriptive aspects incorporated in PCI DSS, penetration testing regularly confuses organizations. Therefore, companies must identify penetration testing techniques for verifying that their controls protect their entire cardholder data environment (CDE). This move helps organizations to integrate PCI DSS compliance appropriately.

PCI DSS Penetration Testing

The Main Components of Conducting Penetration Testing

PCI DSS penetration testing exists in three types. For the black-box assessments, no information is availed before the start of the test. In the case of white-box assessments, organizations avail penetration testers with the application and network details. Lastly, grey-box assessments feature partial details regarding target systems.

When it comes to PCI DSS testing, grey-box or white-box assessments provide companies with quality insight. The details availed by organizations help in streamlining the testing, allowing it to use lesser resources, be less costly, and consume less time.

Penetration Test vs. Vulnerability Scan

Vulnerability scans focus on identifying, ranking and reporting system weaknesses that can affect a system. Traditionally, companies are required to take part in such tests quarterly or immediately after making considerable alterations to their data environment. Regularly, vulnerability scans take advantage of automated tools accompanied by manual authentication of issues.

On the other hand, penetration testing aims at exploiting weaknesses by checking for existing gaps in security features. To be more specific, it entails an active process of attempting to break a system whereas vulnerability involves passively reviewing a given landscape for possible issues. This proactive manual task consumes more time and offers a more detailed resource. Thus, it has to take place yearly instead of quarterly.

How do companies determine their CDE scope?

Formally, the PCI standard describes cardholder data environment or CDE as “the people, process, as well as technology that process, store, or transmit sensitive authentication data or cardholder.” Therefore, establishing the PCI compliance scope has to be a company’s first step towards penetration testing.

First and foremost, payment processors have to assess unprecedented access to all public networks, including unauthorized access to personal external IP addresses.

Secondly, companies check the vital internal systems that have access to this information. Therefore, testing has to include network and application assessments.

In case companies have separated their information, then they have to test the systems that are considered to be outside the cardholder data environment to make sure that there’s no cross-contamination taking place. In turn, such testing helps to ensure that the company’s segmentation controls are operational and keep the data segmented.

Lastly, considering a network or system to be “out of scope” calls for the need to ensure that its compromise will not affect cardholder data. Hence, penetration testing, primarily of “out of scope” environments, shows that segmentation controls not only function in policy but also in practice.

What does a “critical system” mean?

PCI DSS refers to all systems involved in protecting and processing cardholder data as “critical.” They can be public-facing devices, security systems or anything else that transmits, stores, or processes cardholder data.

Regarding penetration testing, e-commerce redirection servers, authentication servers, intrusion-prevention/ intrusion-detection systems, or firewalls may all fall under this description.

Application-layer vs. network-layer testing

Nowadays, malicious attackers concentrate on weaknesses existing in the application layer. Most organizations leverage web applications, mobile applications, open source components, third-party software, legacy applications, or develop software internally as a section of their payment processing plan. Application-layer testing entails the attempt to break software for vulnerabilities.

Network-layer testing targets devices found within an entity’s environment. For instance, it aims at identifying the vulnerabilities in switches, routers, firewalls, and servers. Weaknesses found in this particular layer include misconfigured devices, default passwords, and unpatched systems.

What are the network-layer and application-layer tests needed by PCI DSS

The penetration testing standards of PCI DSS call for companies to test authentication, web applications, PA-DSS compliance applications, and a different testing environment.

Concerning authentication, companies ought to assess their employee environment’s roles and access. Nevertheless, they have to ensure that customers can access their data only. What this means is that a penetration tester must assess cardholder customer controls and workforce user controls.

For organizations that use PA-DSS authorized application, penetration testing has to be done on the app’s implementation, even if the application doesn’t necessarily require testing.

On the other hand, web applications pose another different challenge. Companies utilize commercial interfaces like document sharing tools that are not customized to meet their needs. Hence, instead of an application-layer test, organizations ought to concentrate on the network-layer penetration test in a bid to ensure appropriate maintenance, configuration, and implementation.

Lastly, the nature of testing regularly interferes with everyday processes. Therefore, companies ought to develop a given environment that reflects reality.
What is the meaning of a “significant change”?

Since PCI DSS does not offer a description of the significant change, companies must determine whether modifications or updates can enable access to cardholder data or affect network security. If an implementation or upgrade can pose any threat to the CDE, then the company must make sure penetration testing takes place.

PCI DSS penetration testing does not have to be burdensome to your company/organization. You can leverage the available GRC solutions to make the process seamless. Some of these tools feature continuous monitoring capabilities that offer updated, real-time insights that allow companies to continually respond to changing vulnerabilities and threats in an ever-growing threat environment.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.