Penetration Testing for PCI

pen-testing-for-pci

Penetration Testing for PCI

May 16 2017

What is PCI?

Payment Card Industry Data Security Standard (PCI-DSS), or just PCI for short, is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The PCI DSS standard is administered by the PCI Security Standards Council (PCI-SSC) which is an independent body set up by the major credit card brands; (Visa, MasterCard, American Express, Discover and JCB.)

NOTE: It is these credit brands which are responsible for enforcing compliance, and not the PCI-SSC.

What is the penetration testing requirement for PCI?

PCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program.

PCI Penetration tests are required for both application and network components of the Cardholder Data Environment (CDE), the entire CDE perimeter, and any critical component which may impact the security of the CDE. This includes testing to ensure the proper segmentation of the CDE from out of scope systems.
The CDE is defined by PCI-DSS as;

“the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data”

The requirement also states that a penetration testing methodology must be implemented and based upon an industry accepted model such as NIST SP 800-115, OWASP Testing Guide, Open Source Security Testing Methodology Manual (“OSSTMM”), PTES or PTF.

PCI DSS Requirement 6.6, requires that public-facing web applications shall:
“address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.”

PCI Requirement 6.6 can be achieved by:

“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.”

Who can perform penetration testing for PCI?

According to Penetration Testing Guidance from the PCI Security Standards Council, the penetration tester must be both qualified and organisationally independent.

Organisationally independent means that the pen tester must not be associated in any way with either the implementation of the PCI environment, or its day to day operations, management, or support.

For the purpose of a qualified penetration tester, PCI DSS does not set a requirement for this, but recommends guidelines such as certifications and past experience of the penetration tester.

PCI references the following penetration testing certifications as indicators of skill level required for PCI penetration testing:

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • CREST Penetration Testing Certifications
  • GIAC: GPEN, GWAPT, GXPN

How often do I need to do perform pen testing for PCI?

According to PCI requirement 11.3, penetration testing must be performed at least annually or whenever there is a significant change anywhere in the CDE.

PCI penetration testing guidance gives example of what is considered a significant change such as; infrastructure or application upgrade or modification, or new system component installations. But PCI-DSS does not prescribe exactly what defines a significant change as it is variable based upon the risk assessment of the said environment and its configuration.

    If the change could impact the security of the network or allow access to cardholder data, it may be considered significant.

What About Vulnerability Assessments for PCI?

PCI Requirement 11.2 reads;

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).”

There is a big difference between internal and external vulnerability scanning for PCI:

For Internal vulnerability scans you must verify that four quarterly internal scans took place in the past 12 months and that rescans occurred until all “high-risk” vulnerabilities as defined by requirement 6.1 were resolved.

External scans, like internal ones, must be done at least quarterly. The difference is that the external scan must be done via an an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).

Summary

Core Sentinel’s penetration tests comply with both PCI requirement 6.6 for web applications, and requirement 11.3 for internal/external infrastructure.

Our penetration testing consultants meet both the experience, and the certification recommendations as set out in the PCI SSC’s Penetration Testing Guidance. We are able to assist you with both PCI penetration testing, and PCI vulnerability scanning.

Call one of our OSCE / OSCP qualified consultants today to discuss how you can achieve the penetration testing requirements as set out by the PCI Security Standards Council.

References

PCI Penetration Testing Guidance

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

PCI DSS Quick Reference Guide

https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf