What is PCI Penetration Testing – What Should You Know? A Detailed Guide

Organizations dealing with card payment data must comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data.

Per this Standard, PCI Penetration Testing must be performed to verify whether or not the organization’s security controls protect the cardholder data environment.

The PCI DSS was introduced to provide a minimum security benchmark when handling sensitive customer card information. On this note, the PCI Council has incorporated Penetration Testing in the Compliance process.

A PCI Penetration test is designed to validate the security of credit cards and improve security measures in the organization.

Elaborating more on this, we have answered and explained some of the most asked questions about the PCI Pen Test, which include: what is the PCI Penetration Test, who needs to perform it, when should it be performed, and other relevant details.

What Is PCI Penetration Testing?

A Penetration Test is an exercise or testing process that involves a security professional, also known as an ethical hacker attempting (with prior authorization for the test) to exploit vulnerabilities and gain unauthorized access to critical systems and data.

They use the commonly used techniques hackers adopt to perform a real phishing scam or cyber-attack. However, the only difference is that they act with your permission to discover weak areas in the network to highlight the information security gaps that must be addressed.

That said, the PCI Penetration Testing guideline specifies two types of testing that must be performed in the compliance process. This includes a Network-layer Penetration Test and Application-layer Penetration Testing.

These two types of testing techniques are very similar to conventional Penetration Testing. Network-layer Penetration Testing is essentially an Infrastructure Pen Test, and Application-layer Penetration Testing is Application Security Testing.

The assessment of Application-layer Penetration Testing helps identify security defects that result from either insecure application design or configuration or from employing insecure coding practices or security defects. This may result from insecure software implementation, configuration, usage, or maintenance.

Remediating vulnerabilities identified during an Application-layer Assessment may involve redesigning or rewriting the insecure code.  Again, the remediation of vulnerabilities identified in a Network-layer Assessment typically involves reconfiguring settings or updating software/firmware. In some instances, remediation may require the deployment of a secure alternative to insecure software.

Who needs to perform a PCI Penetration Test?

Penetration Testing is a security evaluation exercise specified in PCI DSS to evaluate the likelihood of a compromise. The requirements mandate testing in circumstances where the PCI Council considers there is a potential risk.

That said, the PCI Penetration Test is mandatory for Level 1 merchants, specific e-commerce-only merchants covered under SAQ A-EP, and service providers falling under SAQ D.

However, it is essential to note that Penetration Testing is not mandatory for all SAQ. But organizations should evaluate the security of their environment regardless of the PCI requirements.

This is especially true when PCI focuses on securing card data in general. The PCI Council specifies in their PCI Penetration Testing Guidance that a Penetration Test needs to be conducted by a qualified internal Pen Tester professional or third-party independent of the organization.

 The PCI guidance specifies the Penetration Testing certifications that may help organizations validate the qualified personnel. While the council even states that certifications alone are not enough and should consider assessing the consultant’s experience.

• Offensive Security Certified Professional (OSCP)
• GIAC Certified Penetration Tester (GPEN)
• GIAC Web Application Penetration Tester (GWAPT)
• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• CREST Penetration Testing Certifications
• CESG IT Health Check Service (CHECK) certification

When do you need to perform a PCI Penetration Test? 

PCI DSS Requirements 11.3.1 and 11.3.2 state that the organization must conduct testing at least annually or after any significant changes have been introduced in the environment.

However, we as professionals often recommend testing at least three months before the annual PCI Compliance Audit. The PCI Penetration Tests can be completed within a month and may further require remediation to ensure no exceptions. However, initial testing may require significantly more time.

Requirement 11.3.1: Perform external Penetration Testing annually and after any significant infrastructure, application upgrade, or modification. This may include an operating system upgrade, a sub-network added to the environment, or a web server added to the environment. 

Requirement 11.3.2: Perform internal Penetration Testing at least annually and after any significant infrastructure or application upgrade or modification. This may include an operating system upgrade, a sub-network added to the environment, or a web server added to the environment. 

What is defined as a significant Change?

 PCI Penetration Testing Guidance document describes a “significant change” as a change that may impact the network’s security or allow unauthorized access to cardholder data.

This can be seen as a new remote access system, the introduction of a new server, or significant changes in the application. Organizations must consult with their Penetration Tester about the same to schedule the changes and test accordingly with some alternate flexible options.

Scope of PCI Penetration Test

The Penetration Test must be conducted on the system’s network and environment holding the sensitive Cardholder data. So, the test should be performed on the Cardholder Data Environment and any systems which, if compromised, could impact the security of the CDE.

For systems, networks, and applications to be out-of-scope for a Penetration Test, they must be segregated from the CDE.

So, even if a system is compromised in an event, the integrity of the Cardholder Data Environment would be intact or unaffected.

Reducing the scope of the Pen Test is possible by segregating the network. While this is not compulsory, but it helps reduces the cost of the test and also ensures that the network is secure even in case of compromise.

It is important to note that regular checks must be performed as stated in requirement 11.3.4 to verify whether the segmentation controls are adequate.

This could be done annually or half-yearly if you are a service provider. This must further be examined by personnel independent of the implementation team or management of the CDE.

How Does a Penetration Test differ from a Vulnerability Scan?       

Vulnerability scans are meant to identify risks, rank them based on their severity level, and report the security vulnerabilities that may compromise a system.

Organizations often perform a vulnerability scan every quarter or after making significant changes to the Card Data Environment.

However, Penetration Testing is specifically conducted to exploit vulnerabilities in security controls by identifying gaps in security controls.

It is an evaluation process or technique that involves ethical hackers trying to break into systems and gain unauthorized access.

While Penetration tests can be defined as an active testing process, Vulnerability Testing can be defined as a passive testing process that scans the environment to identify potential risks.

Another significant difference between the two tests is that the Penetration Testing conducted is in-depth and costs much more than the Vulnerability Test, which provides limited company insights to the point in time during the scan.

While both tests differ in many ways, both techniques are essentially required by the organization to evaluate the security controls and verify whether or not they are effective. 

Conclusion

Penetration Testing, although a worthwhile addition to the PCI requirement, is a good evaluation technique to verify and validate the effectiveness of security controls deployed within the Cardholder Data Environment (CDE).

The intent of performing a PCI Penetration Test is always to protect payment card data and the security of the organization’s infrastructure in general. Achieving a balance between infrastructure and Data Security is crucial for achieving the PCI requirements.

So, businesses must perform a Penetration Test annually by qualified personnel,to thoroughly evaluate internal and external threats to maximize the testing process and investment of resources.