Skip to content

What you should know about PCI DSS penetration testing

Join our mailing list

Signifyd regularly publishes free reports packed with business insights, commerce trends and data from our massive Commerce Network. We’ll only email when we have something meaningful to share, no more than once per week. And of course you can unsubscribe any time.

It seems not a day goes by that you don’t read about another massive data breach.

The sad fact is that breaches happen all the time. Cybercriminals are increasingly sophisticated and increasingly motivated by the lucrative trade in personal information — names, birth dates, social security numbers, credit card accounts.

Those bits of information are gold to fraudsters and sophisticated fraud rings that use the data to steal financial credentials, take over consumer accounts with merchants and to create false identities out of whole cloth that then go on criminal shopping sprees.

Consumers are demanding that the companies they trust with their data do better. If you’re a retailer — or a financial institution, or any business, frankly, that deals with personally identifiable information, you are no doubt working hard to protect that data.

Among the tools available to you are penetration tests, something of a stress test for your own security systems.

Companies that process payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS) in order to provide an acceptable level of security for cardholder data.  In fact, the standard globally applies to all the entities around the world that are involved in processing, storing and transmitting cardholder data.

The reason you need to use PCI DSS testing

Properly implementing and maintaining PCI DSS is a good idea for two reasons: It allows you to boost your company’s entire security status while preventing expensive data breaches and fines. Being on top of  your PCI DSS game will ensure that your organization is adequately prepared to detect and prevent a wide range of malicious attacks from those attempting to access your information assets at the physical and network level.

How you know if you’ve done it right

Testing. Specifically, penetration testing. While PCI DSS has been around for more than a decade, penetration testing has only been used recently. Not all penetration testing is created equally. Your organization needs to identify penetration testing techniques that verify that its controls can protect its cardholder data environment. Doing the identification step properly allows you to integrate PCI DSS compliance properly.

Types of penetration testing

So, where to start? PCI DSS is evaluated with three types of penetration tests. Black-box assessments don’t offer you any information before the beginning of the tests. For white-box assessments, companies normally provide penetration testers coupled with network and application details. Lastly, grey-box assessments encompass the provision of partial information relating to target systems.

Throughout PCI DSS testing, both white-box and grey-box assessments give organizations a comprehensive insight regarding their activities. What’s more, the information a company or organization provides during testing helps considerably in streamlining the entire process, which not only makes it less costly but also saves time.

Distinguishing between penetration tests and vulnerability scans

Here it might be helpful to explore the difference between penetration tests and vulnerability scans. Vulnerability scans are designed to assist you in identifying, categorizing and reporting any weaknesses that can interfere with your system.

Although it is generally advisable to carry out such scans quarterly, you have to conduct them each time you make any significant changes to the data environment. Additionally, vulnerability scans mostly use automated tools and come with manual verification, which is intended to eradicate existing issues.

On the other hand, penetration testing is intended to deliberately take advantage of vulnerabilities through identifying the gaps within your security system. In essence, it involves the active process of trying to penetrate a system with the intention of exploiting the existing weaknesses. This case makes penetration testing different from vulnerability scans, which passively go through your system to identify potential issues.

Penetration testing comprises proactive manual processes that are time-consuming, which explains why you can only conduct it once per year. Nevertheless, it offers a more comprehensive insight into your security apparatus.

Establish the scope of your cardholder data environment

According to PCI security standard’s definition of cardholder data environment (CDE), it entails the people, process and technologies that process, store and transmit sensitive cardholder data. Hence, the initial step for you ought to be determining the scope of the whole process, particularly for PCI compliance tests. You need to consider several guidelines when determining the scope of your test.

Payment processors must evaluate aspects pertaining the access to open networks, which include the controlled access to external IP addresses. Furthermore, you have to channel your focus to your critical internal systems, mainly those revolving around access to information. For cases in which your company has split its information, we recommended that you monitor all the systems, more so those that are outside the cardholder data environment, in a bid to keep cross–contamination cases at bay.

Apart from making sure that your information stays separated, testing systems that are not in your CDE environment helps to ensure that your company’s separation controls work appropriately. Terming your system or network as out of scope translates to making sure that its weaknesses do not have any impact on cardholder data.  Hence, carrying out penetration testing in such environments not only proves that segmentation controls work in policy but also in practice.

The meaning of critical systems

According to PCI DSS testing, systems that take part in the processing and safeguarding of cardholder information are critical. These systems may include security systems, public-facing devices, as well as all devices that process, store and relay cardholder data. What’s more, ecommerce redirection servers, intrusion detection servers, authentication servers and penetration testing are all considered to be critical as far as your operations are concerned. By and large, bear in mind that critical systems comprise all of the technology assets that those who are privileged within your company use to oversee and support CDE.

The distinction between network-layer and application-layer testing

Recently, malicious attackers appear to be increasingly targeting the weaknesses inside the application layer. As such, most companies nowadays are utilizing various tools as fundamental elements of their payment processing plans. They include internally-developed software, web applications, legacy applications, third-party software and open source components. Therefore, application-layer testing means trying to penetrate software to identify the exact vulnerabilities.

Alternatively, network-layer testing mainly concentrates on devices inside your organization’s surroundings. For example, this process can allow you to pinpoint potential weaknesses in your systems including routers, switches, servers and firewalls. Some of the weaknesses that you can spot within your network layer consist of unpatched systems, misconfigured devices and default passwords.

The types of application-layer and network-layer tests that PCI DSS need

Normally, the provisions of PCI DSS penetration call for your company to test PA-DSS compliance applications, different testing environments, authentication and web applications.  With regards to authentication, you must ensure that you assess functions and access to your employee environment. However, you also need to ensure that only your clients can gain access to their data.

A penetration tester has to assess both workforce user controls and cardholder customer controls. Also, keep in mind that if your organization utilizes a PA-DSS approved application, then PCI DSS penetration testing has to be done during the execution of the application even though it does not need testing.  For this reason, testing should concentrate on the operating system and exposed devices as opposed to the functionality of your payment application.

Automating compliance alleviates the burden of penetration testing considerably. Thanks to this automated method, it becomes easier for your company to roll out a governance system that delivers comprehensive insights. In addition, you can include a reporting dashboard in a bid to conveniently assess health control quickly while noting the critical problems that your company faces. By doing so, you can easily achieve enhanced cross-enterprise results.

Photo by iStock

Ken Lynch is CEO of Reciprocity. He wrote this piece for the Signifyd blog.

Ken Lynch

Ken Lynch

Ken Lynch is a founder of Reciprocity. He believes employees make better corporate citizens when they are engaged in the compliance, risk and governance goals fo their companies.