An Introduction to PCI-DSS Penetration Testing

All You Need to Know to Get Started and Avoid Non-Compliance

PCI-DSS (Payment Card Industry Data Security Standards) is a set of standards that you’ll need to comply with if you accept payments by card. You’ll need to demonstrate that you maintain a secure network and that you manage vulnerabilities to protect cardholder data. This includes monitoring and testing networks regularly. PCI penetration testing helps you do this.

What Are the PCI Standards?

The PCI standards are designed to protect your business from cyberattacks, and to protect the entire PCI industry ecosystem. A breach of security at a single organization can ripple throughout the industry, causing loss of trust and reputation.

If your organization uses payment devices and applications, you must:

  • Maintain a secure network
  • Protect cardholder data
  • Implement access control measures
  • Maintain a vulnerability management program
  • Monitor and test networks regularly
  • Maintain an information security policy

Penetration testing helps you achieve these standards.

You’ll also need to assess your segmentation policies and procedures every six months. You should be able to:

  • Identify how you receive cardholder data, and where it is held
  • Provide documentation that details where account information is stored and processed
  • Identify all your system’s components and processes
  • Identify all personnel that have access to the system
  • Show that you have robust procedures to monitor and maintain compliance with PCI DSS

Why Penetration Testing for PCI DSS?

A penetration test (or pen test) has two distinct goals:

  1. First, to determine if a malicious actor can access the system and threaten the security of the system, its files and logs, and cardholder data.
  2. Second, to confirm that all the controls needed to maintain compliance with PCI DSS are present.

Types of Pen Testing for PCI DSS

There are three types of pen test:

  • A black-box assessment, where the tester is given no information by the company commissioning the pen test
  • A white-box assessment, where the pen tester is given network and application details
  • A grey-box assessment, for which the pen tester is given some information about the security system, but not all information

Of these three tests, the white-box and grey-box assessments provide the deepest insight. Also, by providing some information upfront, you’ll find that the process is streamlined with lower costs.

Does Your Business Need a Pen Test?

Not all organizations will need to conduct a pen test to remain compliant — it depends on which PCI standards apply.

If you do need pen testing, you’ll need to pass a scan every 90 days, and conduct further testing if you change your cardholder data environment. If you don’t pass pen testing, you’ll need to make adjustments to correct shortfalls and then repeat the scans to ensure you have come back into compliance.

What if You Don’t Comply with PCI DSS?

Non-compliance with PCI DSS carries stiff penalties, including the possibility of being barred from processing credit card payments. Therefore, if a pen test does reveal any failings in your system, it is crucial to have them resolved as soon as possible.

Who Should You Get to Execute a Pen Test?

The pen tester must be independent of the management of the system being assessed, though they can be part of your organization. If you hire a third-party pen tester, they cannot have been involved in the installation, maintenance, or support of the system being assessed.

It is also recommended to use a pen tester with and industry recognized certification (though this isn’t a requirement). Qualifications include:

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • Global Information Assurance Certification (GIAC)
  • GIAC Penetration Testing (GPEN)

You should also consider the experience of the pen tester, and if that experience is relevant to your organization.

Do you have PCI DSS compliance requirements and require a penetration test? If so, which type of pen test would be best for you?

To answer these questions and any others you may have, contact Tiro Security today.

Posted in