If your organization frequently processes payment, then you’re obliged to comply with the Payment Card Industry Data Security (PCS DSS). This regulation protects the sensitive cardholder information. The PCI DSS has several prescriptive elements, and you must perform penetration testing and choose the methods that will undoubtedly show that you have sufficient controls to protect your cardholders’ data.
PCI DSS Penetration Testing
Key components of penetration testing
There exist different types of penetration testing that you can apply for PCI DSS regulation including:
• White-box assessment. Your organization is expected to provide the penetration testers with all the application details as well as the network.
• Grey-box assessment. This method will involve the use of partial information about your organization’s target systems.
• Black-box assessment. This method does not offer any information before the start of penetration testing.
To get better insights into your organization security environment, it’s recommended that you either use the white-box or grey-box assessment methods. The information you’ll provide is used in streamlining the testing process and thus will save you time and resources.
What is the difference between penetration test and vulnerability scan?
The primary intention of a vulnerability scan is to recognize, rank, and report all the risks that can compromise your data environment. It has been a norm for all organizations to perform the tests at least quarterly. Any vulnerability identified should be rectified before it progresses to affect the integrity of your cardholders’ data. Always, the vulnerability tests utilize automated tests although manual verification may be required.
On the other hand, penetration testing seeks to find the gaps in your organization’s security systems. Unlike the vulnerability testing which only reviews an existing landscape to identify problems, this method seeks loopholes in your system that can be used by malicious individuals to compromise the cardholder data environment.
Determining the Scope of Cardholders’ Data Environment (CDE)
According to PCI security standards, CDE refers to all the individuals, processes, and technology involved in the collection, storage, processing, and transmission of cardholders’ sensitive information. As such, the initial stage of penetration testing should always include determining the scope of PCI compliance.
You should ensure that all the payment processors evaluate all the access permissions to public networks. This should include restricting access to any individual outside a given IP address. After that, the organizations should check all the internal systems with the ability to access CDE.
You should, therefore, ensure that your penetration testing includes network and application assessment. Also, it’s necessary that you test all the information that you assume to be outside the CDE to ensure that no cross-contamination will occur at any given point. Before you decide that any information is out of scope, you must confirm that it will not affect the cardholders’ data.
Definition of a Critical System
All systems that interact with the cardholders’ private data is referred to as “critical.” The systems may include public-facing devices, storage devices, processors, security systems, and other systems involved in the transmission of data. Also, all the authentication servers, firewalls, intrusion detection software, and e-commerce redirection fall under the critical systems.
In summary, the critical systems are all those assets that play a role in the collection, storing, handling, and transmission of CDE.
Differences between Application-layer and Network-layer Testing
Most of the attackers focus on the weaknesses of the application layer. As such, many companies have invested in third-party software, mobile applications, legacy applications, internal software, and open source components to ease their payment processes. Testing the application-layer incorporates breaking the software for weaknesses.
On the other hand, network-layer testing involves testing all the devices in your organization. The process seeks to identify weaknesses in routers, servers, switches, and firewalls. Some of the common network weaknesses include misconfigured devices, unpatched systems, as well as default passwords.
The application-layer and network-layer tests (necessary for PCI DSS approval)
According to PCI DSS, your organization must perform tests on web applications, authentication, PA-DSS compliance application, and a separate testing environment.
To ascertain authentication integrity, you must define the roles of each employee in accessing the cardholders’ data. If your organization is using PA-DSS validated application, you’re obliged to test the operating system to eliminate any chance of data compromise.
Also, companies should ensure that they test their network-layer system to ensure that all the data sharing tools and other software are appropriately configured and maintained.
You should realize that penetration testing can disrupt your daily operations. As such, you should create a testing environment that’s like the actual operating systems.
Definition of significant change
This refers to any change in your system that will require it being subjected to the PCI DSS penetration testing procedure. For example, an upgrade that could compromise the integrity of CDE, in this instance you would follow the testing procedure to ensure it is still compliant.
Benefits of automation in PCI DSS Penetration Testing
Automated tools provide easy-to-use data that gives insights into penetration testing and PCI DSS compliance. The tools monitor every update that can expose CDE to harm and simply audits and reporting.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.