Since its first release in 2004, the Payment Card Industry Data Security Standard (PCI DSS) has evolved to be a globally proven and accepted security standard. It represents a binding set of security requirements that applies to all merchants and payment service providers who transmit, process, or store payment credit card information. The standard provides rules for the network infrastructure and server components, including their management.
PCI DSS Requirement 11.3 addresses penetration testing, which is different than the external and internal vulnerability assessments required by PCI DSS Requirement 11.2.
A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.
Who performs penetration testing
The PCI DSS does not require that a QSA or ASV perform the penetration test – it may be performed by either a qualified internal resource or a qualified third party. If internal resources are being used to perform penetration tests, those resources must be experienced penetration testers. The individuals performing penetration testing should be
organizationally separate from the management of the environment being tested. For example, the firewall administrator should not perform the firewall-penetration testing.
Scope of penetration testing
The scope of penetration testing is the cardholder data environment and all systems and networks connected to it. If network segmentation is in place such that the cardholder data environment is isolated from other systems, and such segmentation has been verified as part of the PCI DSS assessment, the scope of the penetration test can be limited to the cardholder data environment.
Frequency of testing
Penetration testing should be performed at least annually and anytime there is a significant infrastructure or application upgrade or modification (for example, new system component installations, addition of a sub-network, or addition of a web server). What is deemed “significant” is highly dependent on the configuration of a given environment, and as such cannot be defined by PCI SSC. If the upgrade or modification could impact or allow access to cardholder data, then it should be considered significant. Significance within a highly segmented network where cardholder data is clearly isolated from other data and functions is very different than significance in a flat network where every person and device can potentially access cardholder data. As a security best practice, all upgrades and modifications should be penetration-tested to ensure that controls assumed to be in place are still working effectively after the upgrade or modification.
Penetration Testing Methodology
There are several methodologies that can be used for penetration testing. The first decision that needs to be made is how much knowledge the tester has of the system being tested. Having no prior knowledge is known as “black box testing,” where the tester must first identify the location of the systems before attempting any exploits.
Having explicit knowledge is known as “white box testing.” If it is determined that it would be beneficial for the tester to have prior knowledge, there are several items required by other PCI DSS requirements that generate information that can be used. Those PCI DSS items include:
- A network diagram (1.1.2)
- Results from a QSA review or Self-Assessment Questionnaire (SAQ)
- Annual testing of controls to identify vulnerabilities and stop unauthorized access (11.1)
- Results from quarterly external and internal vulnerability scans (11.2)
- Results from the last penetration test (11.3)
- Annual identification of threats and vulnerabilities resulting in a risk assessment (12.1.2)
- Annual review of security policies (policies that need to be updated may identify new risks in an organization) (12.1.3)
Documentation from all of the above should be evaluated, and threats and vulnerabilities found as part of the normal assessment processes should be considered for inclusion.
Reporting and documentation
It is recommended that both the penetration test methodologies and results are documented. PCI SSC has no reporting requirements for penetration tests, however the results should be retained to follow up on the identified issues and as evidence to be reviewed by those performing the PCI DSS assessment.
About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security. The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement, and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements, and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors, and point-of-sale vendors are encouraged to join as Participating Organizations.
PCI penetration testing services – In a nutshell the service that we offer
The PCI DSS Standard – the catalogue of all requirements of the PCI DSS standard
Summary of Changes from PCI DSS Version 2.0 to 3.0 – a list of chances between v2 and v3 of the PCI DSS standard
PCI DSS Program Guide – more useful information and comments on the requirements and the procedures for a PCI DSS validation