Best PCI DSS Guide to Engage a Proper Pen Testing

What is a PCI DSS Penetration Test?

PCI DSS requirements will change over time and companies must evaluate their threat landscape in order to ensure their cyber security program is current.

The 4 levels compliance for PCI-DSS:

Level 1: Merchants processing over 6 million card transactions per year.

Level 2: Merchants processing 1 to 6 million transactions per year.

Level 3: Merchants handling 20,000 to 1 million transactions per year.

Level 4: Merchants handling fewer than 20,000 transactions per year

PCI testing is a manual process that goes deeper than an automatic vulnerability scan. Experts in pen testing execute this engagement. Penetration testers look for security issues that automated scanners cannot. Pen testers will attempt to exploit these security vulnerabilities.

Penetration testing under PCI DSS should be based on the cardholder data environment (CDE) and any structure that might affect the protection. Systems isolated from the cardholder’s data environment are considered out of scope for penetration testing.

The PCI Security Standards Council  (SSC) handles the development of the standards for PCI compliance.

Difference between penetration tests and vulnerability scans

Vulnerability scanning, whether internal or external, is not the same as penetration testing.

Here are four differences:

• A vulnerability scan is automated. Penetration test is done by a live person or team of security professionals who actually research the complexities of your network along with the compliance standards required by your organization.
• A vulnerability scan only identifies possible vulnerabilities. During a penetration test, the pen tester will confirm the exploitability of the vulnerability and look to identify the root cause of the vulnerability that allows access to secure systems or stored sensitive data.
• Vulnerability scans and penetration tests work together to encourage optimal network security. 
• Vulnerability scans are done weekly, monthly, or quarterly, while penetration tests are continuous.

Why is pen testing critical to protecting clients’ information?

“The PCI SSC requires every organization that processes, stores, or transmits credit card information to conduct a vulnerability assessment and perform remediation after a breach occurs. “

– Organizations should also implement encryption technology and ensure that access to sensitive data is restricted to allowed personnel.

– Organizations should also train employees about how to detect suspicious activity in their networks.

Home Depot’s $80-million loss after a breach exposed 56 million customers’ credit card accounts. Target’s $200 million in replacement expenses and credit card compromise became very damaging to their brand. 

The penetration testing process typically goes through six phases: 

• Planning and reconnaissance,
• scanning of the network environment
• gaining system access
• persistent access
• Social engineering attacks
• Final analysis/report.

How does pen testing and vulnerability scanning align with the 12 PCI DSS requirements?

The 12 requirements of PCI DSS

1. Install, maintain all firewall configurations.(Pen and Scanning).
2. Do not use vendor-supplied passwords.(Pen and Scanning).
3. Protect stored cardholder data within your system(Pen).
4. Encrypted cardholder data across public networks (Pen).
5. Update anti-virus software or program (Scanning).
6. Patch all systems and applications (Pen and Scanning).
7. Restrict access to cardholder data by business need to know (Pen).
8. Assign a unique ID to each person with computer access(Scanning).
9. Restrict physical access to cardholder data (Pen).
10. Monitor all access to network resources and cardholder data (Scanning).
11. Regularly pentest PCI Security Systems, network, and hosts.
12. Maintain a policy that addresses information security for all personnel – Internal Audit Control.

Pen testing alignment to PCI DSS section 11.x

To meet PCI DSS Requirement 11, it is necessary to regularly test protection systems and processes and check external and internal systems.

• 11.1 Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
• 11.2 – Report provides guidance to demonstrate that quarterly external vulnerability scans and rescans are performed.
• 11.3 requires that penetration testing be performed after any ‘significant change’ to the CDE.
• 11.4 requires that intrusion detection or intrusion prevention techniques compare and send alerts to the traffic to your network with the behavior of known types of threats such as hacker tools.
• 11.5 requires that you have a file integrity monitoring system that monitors all your critical files and all of the applications files within your environment.
• 11.6: Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

The internal security and audit team needs to leverage 3rd party qualified pen testers to ensure security objectively. 

Framework for PCI DSS Network Penetration Test

A PCI DSS network focuses on identifying security issues with a server, workstation, network service design, implementation, and maintenance. Commonly reported security issues to include:

• Misconfigured software, firewalls, and operating systems
• Discovery of legacy software and operating systems
• Unsafe protocols not locked down by a ACL or Firewall rules
• Document critical security risks discovered

A PCI DSS penetration engagement comprises 5 steps:

1. Scoping: The pen tester will address your PCI DSS compliance assessment requirements for your internal network to determine testing scope before testing.
2. Discovery: The tester will identify your network assets within the specified scope of the CDE.
3. Evaluation: Using the details found in the first step, the network and applications are tested for security vulnerabilities.
4. Reporting: A pen tester will comprehensively evaluate the test results, prepare a complete report explaining the method and results, and provide a clear flow through the penetration testing stages to give evidence to the assigned QSA or other stakeholders.
5. Retest: The processes are retested to ensure that all problems found were resolved successfully.

What is the proper engagement structure for a Pen testing?

Clients developing an ongoing pen testing strategy should create a successful critical taxonomy as a framework for continuous engagement. PCI DSS requires consistent vulnerability scanning and quarterly or semi-annual pen testing depending on the credit card transaction volumes.

• 1 – Executive Summary for Strategic Direction. 
• 2 – Walkthrough of Technical Risks and challenges during a pen engagement
• 3 – Potential Impact of Vulnerability on production and staging systems
• 4 – Multiple Vulnerability Remediation Options including patching, sun-setting the platform or no remediation required.
• 5 – Document any risks to compliance requirements for PCI DSS

Summary

Regular penetration Tests is a superb process to validate the security within your Cardholder Data Environment The focus of a PCI Pen test is always to protect credit card information and the security of every business depends on well beyond credit cards.

It is crucial to balance both the fulfillment of the PCI requirements and assurance that your customer’s privacy, your brand, and your business are secure. A pen test must be completed by a qualified resource on at least an annual basis, and consider both internal and external threats to maximize the value of your investment. Please let us know here at CYBRI if you have questions regarding your PCI pen test, or if you’d like to learn more about how we can help.