PCI DSS Penetration Testing
Requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS) describes the need to regularly and frequently carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks. Regular penetration testing is fundamental to ensuring that an organisation is prepared for the full range of attacks that companies have to face.
Penetration testing services for PCI DSS version 3.2 compliance
PCI DSS compliance, especially for Reports on Compliance (ROCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans, and frequent penetration tests.
Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications. It should be conducted from both outside the network trying to come in (external testing), and from inside the network.
The importance of testing your cardholder data environment regularly
Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report shows that security testing retains its traditional place at the bottom of the list with only 71.9% of organisations achieving full compliance.
Yet payment card data is a prized commodity for cyber criminals and is usually the main target in attacks against commercial environments. Indeed, the 2017 Trustwave Global Security Report identified that more than half of the incidents investigated targeted payment card data.
Penetration tests can make all the difference
A penetration test aims to determine whether and how an attacker can gain unauthorised access to assets that affect the fundamental security of your system. It provides real-world security testing of the controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat the security features of system components.
The recommended scope for PCI DSS penetration testing
The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for the PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (Local Area Network (LAN) attack surfaces).
Penetration test scoping guidance
Test at least annually
The PCI DSS specifies that external and internal penetration testing should be performed at least annually, and after any significant infrastructure or application upgrade or modification within the target environment. Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your CDE from other networks. Large breaches typically originate with a simple attack into an insecure area of the victim’s network with a subsequent lateral move directly into the CDE.
The PCI penetration testing requirements for different merchant and service providers
* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications and product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
++ For service providers, any network segmentation must be tested every six months.
1 Or after any change to the application. Applicable if developing own applications or using a third-party non-PCI DSS-certified web application.
Our PCI DSS penetration testing service
Get in contact
We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.
Speak to an expert
Please contact us for further information or to speak to an expert.