PCI-DSS Penetration Testing
As most security systems are built and accessed by individuals, errors and weaknesses can soon present themselves through no fault of anyone’s own. This gives outsiders an ‘in’ to access your vulnerable cardholder data.
This is where PCI-DSS penetration testing comes in. This test is performed by a Quality Security Assessor (QSA) who has been trained in identifying and addressing issues in a security system. Once you’ve received the PCI-DSS penetration testing guidance back from the security expert, you will be able to resolve these issues before attackers can access your system.
What is PCI-DSS penetration testing?
Penetration testing (or pen testing) is an assessment that aims to identify and address exploitable risks in your computer security system by simulating a cyber-attack.
More specifically, PCI-DSS penetration testing assesses a company’s complete cardholder data environment (CDE) and any systems that may have a direct impact on security.
PCI-DSS penetration testing will identify:
- Any unsafe system/network infrastructure
- Rogue access points
- Incorrect access controls
- Cryptographic failures
- Vulnerabilities within code
- Broken authentication and session management
What are the PCI-DSS penetration testing requirements?
PCI-DSS Requirement 11.3 specifies a list of controls needed during PCI-DSS penetration testing. By following the requirements, you’re making sure the test is conducted accurately so the process can run as smoothly as possible.
The PCI-DSS penetration testing requirements include:
- Finding a QSA – usually a qualified internal resource or third party - to perform the testing.
- Scoping performed needs to include critical systems and any networks or systems within the cardholder data environment (CDE).
- Penetration testing should be performed at least once a year or after any significant changes, with service providers needing segmentation testing performed every six months.
- Defining a methodology - based on industry standards and PCI guidance - for your testing that includes scoping, thorough documentation, and rules of engagement.
- All components must be covered – this includes scoping, segmentation testing, and network and application layer testing.
- PCI-DSS penetration testing methodology must be documented, and test reports must list the issues found with an assigned score and description for urgency.
- Any high urgency internal vulnerabilities will need to be remediated, as well as high and medium urgency external vulnerabilities. Any networks that should have been connected but were actually segmented will need to be brought into scoping unless these have already been remediated.
What are the different PCI-DSS penetration testing methods?
PCI-DSS penetration testing needs to be extremely rigorous to detect any potential vulnerabilities in your security system. This means employing a few different methods to cover all bases, including device design, hardware and software, and the organisational structure.
These methods are often used in the PCI-DSS penetration testing process:
PCI-DSS Network Penetration Test
PCI-DSS network penetration testing is designed to identify any server security issues. This test will assess your network service design, workstation, implementation, and maintenance.
Commonly reported security issues found during network penetration testing include unsafe or out-of-date software, firewalls, operating systems, and protocols. To fix these issues, troubleshooting involves installing updates and reconfiguring these systems or software. You may also need to implement more secure protocols and enable the appropriate encryption.
PCI-DSS Segmentation control
A PCI-DSS segmentation test will determine if there is a misconfigured firewall within the system that allows access to a secure network.
This test looks for either unauthorised pinging or a TCP connection that shouldn’t have been allowed. If either of these issues are found, the troubleshooting involves restricting access properties by revising the firewall rules.
PCI-DSS Application Penetration Test
Your app developers are only human, so occasionally mistakes can slip through the cracks, creating vulnerabilities in your security system. Similarly, hackers with malicious intent are constantly becoming more advanced in their methods. This is why it’s important to perform application penetration testing to remove any issues and reduce the likelihood of threats.
These tests aim to detect security issues caused by unsafe or incomplete practices in software design, coding, and publishing. During this test, some of the issues found most frequently include incorrect error handling or broken authentication and authentication processes. Injection vulnerabilities are also common, often within cross-site scripting or remote code execution.
These faults can all be fixed straightforwardly, through redesign or software recoding. Error handling issues are usually resolved by disabling remote viewing.
PCI-DSS Wireless Network Penetration Test
The final stage of PCI-DSS penetration testing on the security system itself looks at how effective your wireless network is. This test looks for misconfigurations and unauthorised access points.
During this test, a few errors may crop up, including insecure encryption standards and weak passwords. It also may find unsupported wireless network technology and unauthorised access points.
If your wireless network doesn’t meet the standards of the assessment, there are several solutions. You may need to update the wireless network protocol to one that is more industry-accepted, such as WPA2. More secure and complex passwords may need to be implemented, and rogue access points should be set up and disabled.
Social Engineering Tests
A social engineering assessment is essentially a test of your employees and their knowledge of security protocols and procedures. This test can only take place if your employees have already received training in the past – usually a security awareness course on defence against hackers. If a malicious hacker can manipulate and take advantage of your staff’s lack of understanding, it could mean disaster for your business.
Clicking on malicious emails, connecting their own USB sticks to workplace computer systems, and letting in unauthorised personnel to your company premises are all signs that the employee needs a security training refresher.
What is the ideal PCI-DSS penetration testing frequency?
Generally, you should carry out PCI-DSS penetration testing every six months. However, regular security assessments and segmentation tests will also need to be done if there have been any significant updates or alterations to your system’s infrastructure or applications. This is particularly necessary if your security system has received any upgrades, deployed additional web servers, or if there have been new sub-networks integrated.
By being proactive with your PCI-DSS penetration testing, you will ensure the strength of your organisation’s security surrounding CDEs, reducing your susceptibility to advanced risks in the future.
What do PCI-DSS penetration testing results mean?
Each issue found during the PCI-DSS penetration testing process will be given a risk rating to decide its severity. These ratings are usually based on industry standards.
If high-risk vulnerabilities are found during PCI-DSS penetration testing, they must be resolved immediately. This can be achieved by using either full mitigation or compensatory controls until the system becomes completely compliant.
However, your existing security protocols will also have an impact on reducing the risk level. Something that may be considered low risk in the PCI-DSS penetration testing guidance may still need to be corrected to ensure that your system is still compliant.
When it comes to your PCI-DSS audit, the most recent penetration testing report should be submitted to your Qualified Security Assessor (QSA) as evidence. Occasionally, any additional information submitted surrounding the report will be enough to correct the issue found – removing the need to modify any code or other elements of the infrastructure.
The QSA will have the final say on whether the organisation passes the testing process, and this is based on whether enough action is taken to mitigate risk once any system vulnerabilities are found.
What are the advantages of regular PCI-DSS penetration testing?
By conducting regular PCI-DSS penetration testing, you’re ensuring the strength of your security system in the long run. As web data breaches can often translate into real-world threats, it’s important to identify and remove vulnerabilities before they can be exploited by cybercriminals.
The benefits of regular PCI-DSS penetration testing include:
- PCI-DSS compliance. Alongside regular PCI-DSS penetration testing, you may also need to perform internal and external vulnerability scans. This includes RoCs (reports on compliance), and SAQs (self-assessment questionnaires).
- Being able to accurately determine how protected your company’s web application is, including any internal and external networks.
- The ability to protect the target system from outsiders with access to untrusted networks.
- Protection against potentially malicious insiders with access to trusted networks.
- Protection against weaknesses in web applications cross-site scripting and SQL injection.
- The ability to see if your control and segmentation methods are working efficiently.
Keep track of your PCI-DSS penetration testing with Hicomply
The many elements of PCI-DSS penetration testing can make the process feel overwhelming and difficult. Keeping on top of all the documentation manually can lead to information getting lost and mistakes being made – something that could profoundly impact your ability to remain PCI-DSS compliant.
At Hicomply, our full-service ISMS platform allows you to access all the information you need in one place, making the process a much smoother and hassle-free experience. Contact us now for more information.