What is PCI Compliance Penetration Testing?

A specific security assessment that focuses on the cardholder data environment (CDE) within an organization, which includes all systems, networks, databases, and applications that store, process, or transmit cardholder data, PCI compliance penetration testing ensures organizations maintain a failsafe security posture meet the rigorous security standards set by the Payment Card Industry Data Security Standard (PCI DSS).

Beyond being mandatory in most instances, regular and comprehensive PCI compliance penetration testing is vital for any organization handling cardholder data. PCI compliance penetration testing deviates from traditional penetration testing, which we’ll break down in this blog, as well as detail what those differences are, who’s affected by them, and how this all fits into PCI requirements and compliance.  

Contents

• What is PCI Penetration Testing?
• Who is Affected by PCI DSS 4.0?
• Is Penetration Testing Required for PCI DSS Compliance?
• The Main Objective of PCI Penetration Testing
• Key Components of PCI DSS Penetration Testing
• Understanding PCI Penetration Testing Requirements
• Understanding PCI Penetration Testing Requirements
• What is the Difference Between a PCI Penetration Test and a Regular Penetration Test?
• PCI Compliance Penetration Testing and Prescient Security

What is PCI Penetration Testing?

All penetration tests primarily operate the same way: they simulate a hacking attempt within the context of a controlled security assessment. What makes PCI pen testing distinctive is its focus. It specifically uses a simulated attack to test and verify the effectiveness of the networks, applications, and databases that store, process, or transmit cardholder data.

The intention behind this is to make card payments safer and ensure that customer data is never unnecessarily exposed during a transaction. Doing so protects everyone involved and, as we’ll explore later on, is a critical part of overall risk management as well as PCI DSS compliance.

Who is Affected by PCI DSS 4.0?

Any organization that handles cardholder data, whether through its own systems or third-party services, is affected by PCI DSS 4.0. This latest version of the standard has more flexible compliance options, but the requirements for risk management have expanded, hence why penetration testing is becoming a bigger part of the compliance conversation.

Here is an overview of the key figures affected by these updates:

• Merchants or businesses that accept card payments.
• Service providers who process or store cardholder data on behalf of other businesses, such as payment gateways and cloud providers.
• Financial institutions, including banks, payment processors, etc.
• Third-party vendors who have access to cardholder data. IT support and software developers are the most common examples.
  

Is Penetration Testing Required for PCI DSS Compliance?

Yes, penetration testing is required for PCI DSS compliance. There is also a set scope and frequency that the test needs to follow in order to fit within PCI requirements.

The Main Objective of PCI Penetration Testing

Here’s why penetration testing is a requirement for PCI compliance and what its main objectives are:

• Expose vulnerabilities that hackers might otherwise be able to use to gain access to sensitive payment data. Simulated attacks are particularly adept at showing not only weak spots but also how they might be exploited and the real-time efficacy of security controls.
• Validate the security measures in place and whether or not they’re operating as needed. This includes protective measures as well as incident response plans. Penetration testing will help illustrate how quickly and effectively systems are able to react to a threat and mitigate it.
• Maintain PCI compliance, which the above validation aspect is a key part of. It’s one thing to show that security measures are in place, but a penetration test helps prove that they’re working in line with PCI DSS requirements, hence its position in the standard.
• Remediate any potential security issues or risk factors by going back and updating weaker areas so that the system comes out stronger than it began.
• Use the process as a chance to be proactive about risk. Instead of waiting for attacks to hit, organizations are forced to get ahead of any threats and build both their security controls and response plans around potential issues. The simulated attack also ensures that these plans are accurate according to the kinds of dangers they may need to face. It takes some of the guesswork out of risk management so that businesses are more protected and more knowledgeable.
• Continuously improve systems to ensure that they’re more prepared for attacks and for the changes that invariably hit cybersecurity. This is also a fundamental aspect of PCI DSS as a whole and something the pen test is specifically used to demonstrate.

PCI DSS penetration testing is as much a chance to illustrate compliance with the practicalities of the standard as it is an important part of showing commitment to the values that underscore it.

Key Components of PCI DSS Penetration Testing

Here’s a closer look at the key components of a PCI DSS penetration test and how it’s performed:

Scope Definition

A PCI pen test should include all critical cardholder data environment (CDE) systems. It’s up to the organization performing the test, though, to define what that looks like in their context and to ensure that it covers all the main components outlined by the standard, such as:

• Critical systems, networks, or devices that handle cardholder data or impact how it’s handled in an organization. 
•  Systems that are linked to your CDE.
• The external CDE perimeter, which is to say the public-facing services such as web applications that are connected to public network infrastructure.

All organizations will have at least some of these components. Defining them early is crucial for guiding the PCI DSS pen test. In the overall PCI DSS report, not just related to the pen test, businesses will need to outline their system and network, show the organization's assets, and explain how cardholder data moves through them. 

External and Internal Penetration Testing (Networks and Applications)

Once the scope of the test has been laid out, the next step is performing the simulated attacks. The starting point of which is usually external and internal testing.

External testing usually focuses on internet-facing systems, such as:

•   Web applications and portals
•   VPNs
•   Email and DNS servers
•   APIs
•   Firewalls and routers

The above is intended to give an idea of how an outsider might be able to breach the CDE and exploit open ports, unpatched software, or poor access controls. This external testing is done right alongside an internal pen test, which simulates an attack from someone who already has access to the internal network and could target:

• Internal Servers and Databases
• Employee workstations
• Internal Applications
• POS systems

Performing annual external and internal pen tests is an important requirement of PCI DSS. It assists with compliance and provides a well-rounded view of an organization’s cardholder security measures so that no vulnerability is missed.

Networks Segmentation Testing

Another required penetration test for PCI DSS is network segmentation. Some organizations use segmentation controls such as firewalls or VLANS to separate the cardholder environment from anything that’s out of scope.

In these instances, a pen test has to be performed to check if an attack on a non-CDE system can gain a hacker access into an isolated CDE. It essentially verifies if segmentation controls are operating effectively and that cross-contamination can’t occur.

Documentation and Reporting

Penetration testing on its own has little impact. It’s the documentation and reporting aspect that ensures that it assists with compliance and leads to security improvements. Every aspect of a PCI DSS penetration test has to be documented in an auditable format, and the findings shared in reporting that then shapes remediation efforts.

PCI pen test reports can look quite different depending on who compiles them, but they generally take on the following structure:

• An executive summary with an overview of the pen test scope and the findings gathered.
• A statement of scope with details on the systems and networks included as part of the cardholder environment.
• A methodology breakdown to explain how testing was approached.
• Every pen test has its limitations. Usually, they can only be performed in designated time windows, but whatever the case, these factors must be included in a statement of limitations.
• A detailed account of how the test progressed, and any issues encountered, is the core of any pen test report.
• Segmentation test results are also important if that was part of the pen test.
• Findings then need to be shared. This should cover both the vulnerabilities discovered and their severity levels.
• The testing team will usually employ some tools during their work, which need to be listed.
• Remediation is a critical aspect of PCI pen testing. Any clean-up instructions or recommended fixes need to be included in the report.
• Finally, there has to be evidence of the remediation through the retesting process and the results from it. This validates the fixes made and the overall security of the CDE

The above is what builds an audit trail and provides evidence of compliance for PCI DSS.  Reporting also ensures that the process retains a sense of accountability and transparency. This helps keep tests within scope.

Understanding PCI Penetration Testing Requirements

PCI DSS Requirement 11 defines the necessity of regular security testing within the CDE environment and outlines how penetration testing should be managed. Let’s take a closer look at some of the key sub-items included and how they shape the process:

• PCI DSS Requirement 11.3: This norm states that regular and comprehensive security testing is required and serves as the main point of reference for PCI DSS pen testing guidelines. It calls for the use of recognized industry methodologies, such as NISH SP 800-115, to be used but others are also referenced in the PCI general guide to pen testing.
• PCI DSS Requirement 11.3.1: The focus of this requirement is yearly external network penetration testing. It emphasizes the need to perform tests on internet-facing networks and servers.
• PCI DSS Requirement 11.3.2: Now we move into annual internal penetration testing, which is so important not just in terms of seeing what an attacker could do if they gained access to internal systems, but what a bad actor who worked inside an organization could potentially accomplish. 
• PCI DSS Requirement 11.3.3: This sub-item looks at retesting and the need for timely remediation after an initial pen test. It’s important that organizations pay attention to this so as to avoid leaving themselves and their users open to security threats.
• PCI DSS Requirement 11.3.4: Segmentation controls are the focus here, with the requirement outlining that those who use network segmentation to isolate their CDE from the other networks need to check that unauthorized access can’t occur. Those who don’t use segmentation can skip this.
• PCI DSS Requirement 11.1: Wireless networks and rogue access points are a common point of vulnerability. This requirement looks at the importance of performing sweep checks of these aspects when they’re found within the CDE or are connected to it.
• PCI DSS Requirement 11.2: The rules for running internal and external network scans explain when it’s mandatory to use a PCI Approved Scanning Vendor, and when it’s not.
• PCI DSS Requirement 6.6: If there was any doubt about whether organizations seeking PCI DSS compliance need to perform external penetration tests, this sub-point helps clear things up. It very clearly mentions security evaluations of public-facing web applications and the requirement for these assessments to occur.

How Often Do PCI Penetration Tests Need to be Performed?

PCI-DSS requires that organizations conduct penetration testing at least annually, or any time big changes or updates are made to their cyber infrastructure. Implementing a new system or modifying a network can accidentally open CDEs to new threats, so it’s important that pen testing be included as part of those changes.

The Remediation and Retesting Process

Once a penetration test is completed, the next step is looking at the security issues exposed in the test, their severity, and the potential impact these risks have when it comes to cardholder data and safety. The PCI DSS calls for “exploitable vulnerabilities found during penetration testing [to be] corrected” and testing repeated to verify that the corrections have been “successful”.

The first step with the above is the remediation process, in which:

• Vulnerabilities are prioritized according to their severity. Critical threats have to be dealt with immediately.
• Remediation actions are assigned to relevant teams or individuals.
• The vulnerabilities are fixed and tracked in a remediation log.
• Access controls are enhanced.
• All fixes and updates are documented for total traceability and later referencing.

Remediation is by no means the end of things. It has to be followed by a retest to ensure that vulnerabilities are completely resolved and that no new ones were accidentally introduced through the remediation process. A bad patch fix can quickly leave another area exposed, so it’s vital that teams go back to check the efficacy of their work. It’s also a firm requirement of all PCI DSS penetration testing.

In order for the retest to meet PCI DSS requirements, it must:

• Recreate the initial pen test as much as possible by using the same (or similar) methodology and the same team if available.
• Be documented and show evidence of the fix and that it’s working as needed.

Only once all of this is completed is the PCI DSS test considered done and the requirements fulfilled.

How is a Penetration Test Different from a Vulnerability Scan?

Though penetration testing and vulnerability scanning are both required security assessments in the PCI-DSS, they approach things very differently and have quite distinctive purposes. Here’s a quick overview:

[Vulnerability Scan vs. Penetration Test table here]

What is the Difference Between a PCI Penetration Test and a Regular Penetration Test?

Penetration tests, as we’ve mentioned, are a fundamental part of any cybersecurity approach. Many cybersecurity standards encourage them, but PCI penetration testing is its own beast. It’s designed specifically to ensure PCI DSS compliance and address cardholder security issues.

Because of this, it has some distinctive characteristics when compared to regular penetration testing and can’t be run the same way. Here’s where these tests diverge:

Scope And Focus

• PCI Penetration Test: A PCI penetration test has a fairly narrow scope. Though it can include the testing of various networks and systems, the focus is on the cardholder data environment and how well it’s being protected from threats. The simulated attack will be designed to target just this area. 
• Regular Penetration Test: Some penetration tests go in with the mandate to simply test an organization's entire IT structure. They can have quite a broad scope and go into social engineering as much as they do traditional cyber issues. The objective is usually to test security weaknesses across an organization, rather than being limited to how cardholder data is handled.

Compliance Requirements

• PCI Penetration Test: Those wanting to comply with PCI DSS or maintain their compliance have to perform regular penetration tests. It’s a mandatory task, and the results also affect the assessment. Outcomes from a PCI DSS test are used as evidence of compliance and are how businesses show that they’re aligning with the practicalities as much as the spirit of the standard.
• Regular Penetration Test: It’s considered best practice to perform regular penetration testing for the sake of robust cybersecurity, and many standards encourage it. However, few list it as mandatory. It’s a choice in most cases whether to perform these tests, and while they boost compliance, they’re not always a deal-breaker in the same way that they are when it comes to PCI-DSS.

Remediation And Reporting

• PCI Penetration Test: Because of its narrow focus, the remediation and reporting phase of a PCI penetration test will have a similarly narrow approach. It’s aimed entirely at validating how effectively security measures are operating to protect the cardholder environment from threats. Anything outside of cardholder-related risks won’t be seen as relevant. It’s also important to note that retesting is a required part of an overall PCI penetration test.
• Regular Penetration Test: Retesting isn’t always mandatory for compliance. Many penetration tests occur without them, and if they are performed, they have to address a much wider array of vulnerabilities than PCI pen tests. They’re more expensive to perform, as a result, though the benefits often outweigh the initial cost.

Penetration Test Frequency

• PCI Penetration Test: PCI DSS requires those seeking compliance or wanting to maintain it to perform annual PCI penetration testing, or after any significant changes have been made to their applications or infrastructure. The value of this is that businesses are forced to take a proactive stance with risk and continuously improve their systems so that they’re less vulnerable to data breaches and other attacks.
• Regular Penetration Test: Organizations that have complex systems or are dealing with sensitive information will prioritize pen testing at least annually. This is usually optional, though, as it’s rarely a mandatory part of general cybersecurity compliance.

PCI Compliance Penetration Testing and Prescient Security

PCI compliance and penetration testing can seem like an unusually intricate and demanding world, unless you have the right team assisting you. At Prescient Security, our experts have years of experience with the PCI DSS. We know not to treat PCI pen testing the same as regular testing, but we also know not to treat every organization’s compliance journey the same way either.

We target our approach to your specific goals and compliance needs so that you get as much from the testing process as possible. Organizations should leave penetration tests with better risk mitigation strategies in place and greater confidence in their security measures. That’s exactly what the Prescient team provides.

Click here to talk with one of our experts now and kickstart your PCI DSS penetration test. From initial consults to final retests and reporting, we’re here to help.