Author: Jordan MacAvoy
If your enterprise accepts credit card payments or processes payment card data, you are mandated to uphold the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was established for the protection of cardholder data. To be compliant businesses have to meet several requirements, the most confusing one being penetration testing. Penetration testing methods validate the measures taken to protect cardholder data.
Understanding PCI Penetration Testing
Fundamentally, penetration testing involves attempting to hack an enterprise’s systems. It is an ethical way of finding vulnerabilities that could be exploited by malicious hackers. The technique, which is also referred to as a pen test, is performed by security experts who mimic real cyber-attacks.
Pen testing is ethical because it is done with your permission to identify and seal loopholes in your security controls. Apart from authorizing the testing, a client may furnish the tester with some information. How much security information is given determines which type of testing is carried out. Below are three types of pen testing:
- Black-box assessment – no information is given to the tester by the client company;
- White-box assessment – the tester is given network and application information by the client company;
- Grey-box assessment – the tester has partial information of the security systems to be hacked; the client company withholds some information.
To give better insights into the cardholder data environments, white-box or grey-box assessments are recommended. Giving the tester some information before the tests simplifies the process. A simple process is cheaper and it requires less time and resources.
What Does It Take to Pass a PCI Compliance Scan?
Although the PCI DSS emphasizes frequent compliance scans to fix potential vulnerabilities, a penetration test is not the only way to be PCI DSS compliant. Whether your enterprise needs a pen test or not depends on its merchant level. Because the Payment Card Industry Security Standards Council (PCI SSC) was created by service card providers to set industry standards, it has options for all enterprises.
What is mandatory is filling the self-assessment questionnaire (SAQ). Not all categories of the SAQ require a pen-test; there are other scans to take for compliance. To know whether your business requires a pen test or not, review the PCI security standards.
If your business falls in the category that needs penetration testing, it is required to pass a scan every 90 days. It must also undergo additional testing whenever there are changes to the cardholder data environment (CDE). Fulfilling these requirements proves that you have strong controls and that your security system meets the standards governing your enterprise. Failing a pen tests means you must take corrective measures and run more scans to be compliant.
The consequences of non-compliance to PCI DSS are severe. Your enterprise may lose its credit card processing privileges. This underscores the importance of resolving issues identified by the pen test. Ideally, the tester should be unable to exploit any features of your security system.
What Is the Difference Between a Penetration Test and Vulnerability Scan?
A vulnerability scan is done using automated tools to identify and report security vulnerabilities in a system. The identified issues are then verified manually. Typically, it is a quarterly scan that can also be done after significant changes have been made to the data environment.
A pen test, on the other hand, is a manual process. It actively seeks vulnerabilities in the system and exploits them as hackers would. Because it is a thorough process, it provides more comprehensive results. It is carried out less often than a vulnerability scan; usually once a year.
Because penetration testing is a rigorous process, businesses limit how much time is spent on it. On the other hand, vulnerability scans give a limited view into the system. Their feedback is restricted to the time when the scan was run.
View More Here
How to Identify a Good Penetration Tester
The PCI DSS lists several penetration testing requirements and qualifications that a tester should have. Pen testers may also get some certifications, including:
- Certified Ethical Hacker (CEH);
- Offensive Security Certified Professional (OSCP).
You may opt for a qualified internal assessor who is part of your staff, or an outside contractor. Regardless of the tester you choose, you must ask for samples of the work they have done for other clients. Choose someone who has worked with clients in your industry. It is even better if they have experience dealing with your software.
Throughout the process, you want a tester who will keep in touch regularly. Discuss the limits of the pen test and which action should be taken when vulnerabilities are identified. Have a plan that ensures the testing does not get in the way of your business’s daily operations. Protect your system from damage and your customers from inconvenience during the testing process.
Guest Author Bio:
Jordan MacAvoy is the Vice President of Marketing at Reciprocity and manages the company’s go to market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.
Contact Redbot Security Here