PCI DSS Penetration testing is a type of ethical hacking that simulates a network and its targeted systems. Penetration testing goes beyond running an automated vulnerability scanner; security professionals conduct tests and go deep into the system.
Performing PCI DSS penetration testing on your security networks, public devices, applications, databases, and other structures that store, process, or distribute cardholder data means you’re trying to detect vulnerabilities before cybercriminals.
If your company uses web applications to store, process, or transfer confidential information, you may be vulnerable to hackers. Many hackers can compromise the security of businesses with web applications that form their business foundation. Finding and fixing vulnerabilities your web applications may have is critical to your business.
What is a PCI DSS Penetration Test?
In order to beat a hacker, you have to think like a hacker. PCI DSS Penetration test is a type of ethical attack that simulates attacks on an organization’s network and systems. It is made to help organizations predict abusive errors in their systems that can lead to data breaches.
Penetration testing is a manual process that goes deeper than an automatic vulnerability scan and is done by experts in their business. Penetration testers specifically look for security issues that automated scanners cannot identify and exploit these vulnerabilities when they find them.
To meet PCI DSS Requirement 11, it is necessary to regularly test protection systems and processes and check external and internal systems.
Penetration testing under PCI DSS should be based on the CDE environment and any structure that might affect the CDE protection. Systems isolated from the cardholder’s data environment are considered out of scope for penetration testing.
See Also: What You Need to Know About Internal Penetration Tests
See Also: What You Should Know About External Penetration Testing
Organizations can isolate their networks, for example, by applying strict firewall rules to limit the impact of testing. Taking this precaution will eliminate false positives in the first stage of testing and reduce penetration testing costs as there is little to test.
Why Should I Have a Penetration Test?
Most systems are planned, built, and maintained by employees with little or no professional security experience. The penetration test is performed by a security expert who has been trained in the detection and identification of problems in a system. The resulting report can allow you to fix issues before a real attacker uses them.
See Also: External Penetration Testing Checklist
PCI DSS also requires businesses to conduct regular security assessments and segmentation tests every six months. Besides, additional reviews of these controls should be performed after significant changes have been made.
How are PCI DSS Penetration Tests Performed?
A PCI DSS penetration test consists of 5 steps:
- Scoping: The pentester will address your PCI DSS compliance assessment requirements for your internal network to determine testing scope before testing.
- Discovery: The tester will identify your network assets within the specified scope of the CDE.
- Evaluation: Using the details found in the first step, the network and applications are tested for possible security vulnerabilities.
- Reporting: A pentester will comprehensively evaluate the test results, prepare a complete report explaining the methodology and results, and providing a clear flow through the penetration testing stages to give evidence to the assigned QSA or other stakeholders.
- Retest: The processes are retested to ensure that all problems found were resolved successfully.
Unlike a real attacker, the pentester will take hours to test a particular environment. Therefore, you as a customer must decide where you want to spend most of the penetration tester time. Until testing, the quality and amount of information given to the analyst would have a huge effect on the time needed for testing.
The penetration test methodology is divided into three test types: a black box, white box, and gray box assessment. Black box tests mean that the expert performing the test does not have any information about your environment before the test.
In white-box tests, the expert gets detailed information about your environment before the tests. In gray box penetration tests, the expert has limited information about your environment before the tests.
You need to determine the type of penetration test according to which areas you will focus on. There are also many different types of tests that include penetration tests. Here are a few you might want to know:
Types of PCI DSS Penetration Tests
PCI DSS Penetration testing is a controlled, ethical hacking method that involves detecting potential vulnerabilities in the systems you choose. Such vulnerabilities may result from inadequate or incorrect device design, known or unknown hardware or software defects, as well as organizational deficiencies in process or technological countermeasure.
See Also: What is a PCI Approved Scan Vendor (ASV)?
PCI DSS Network Penetration Test
A PCI DSS network penetration test aims to identify security issues associated with a server, workstation, network service design, implementation, and maintenance. Commonly reported security issues to include:
- Incorrectly configured software, firewalls, and operating systems
- Old software and operating systems
- Unsafe protocols
Troubleshooting frequently identified security issues include:
- Reconfigure software, firewalls, and operating systems.
- Install updates.
- Enable encryption or implement a more secure protocol.
PCI DSS Segmentation control
See Also: PCI DSS Network Segmentation Test
A PCI DSS segmentation test aims to determine whether a misconfigured firewall allows access to a secure network. Commonly reported security issues to include:
- A TCP connection is allowed where it should not be.
- Pinging is allowed where it should not be.
Troubleshooting frequently identified security issues include:
- Reconfigure firewall rules to restrict access properly.
PCI DSS Application Penetration Test
Your developers are not perfect, so there are potential security vulnerabilities in the applications you use. The role of a developer is to design an application consistent with the feature. Bad coding practices or lack of authentication can also create security vulnerabilities in the software.
Even if you have up-to-date information on fixing and protecting apps, cybercriminals are continually improving their methods. Application penetration testing will ensure that threats are not left vulnerable to your web applications and help you avoid the danger.
A PCI DSS application penetration test attempts to detect security issues caused by unsafe development practices in software design, coding, and publishing. Commonly identified security issues include:
- Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)
- Broken authentication (Authentication can be skipped.)
- Broken authorization (Low-level accounts can access high-level functionality.)
- Incorrect error handling
Troubleshooting commonly identified security issues include:
- Redesign authentication and authorization.
- Recode the software.
- Disable remote viewing of software errors.
PCI DSS Wireless Network Penetration Test
A PCI DSS wireless network penetration test aims to detect the authorized wireless network misconfigurations and the presence of unauthorized access points. Commonly identified security issues include:
- Insecure wireless network encryption standards
- Weak encryption password
- Unsupported wireless network technology
- Unauthorized access points
Troubleshooting commonly identified security issues include:
- Update the wireless network protocol to an industry-accepted protocol (such as WPA2).
- Replace the insecure password with a longer, more complex, and secure password.
- Set and disable rogue access points.
Social Engineering Tests
A social engineering assessment aims to recognize employees who do not correctly validate individuals, do not follow procedures, or validate potentially unsafe technologies. Any of these methods could allow an intruder to take advantage of the staff to manipulate them to do something they shouldn’t do. Commonly identified problems include:
- Clicking on malicious emails
- Allowing unauthorized persons to enter the facility
- Connecting a random USB to a workstation
The troubleshooting of commonly identified security issues is always the same: training.
Since the purpose of the social engineering assessment is to take advantage of employee confidence, such an evaluation can only be undertaken after employees complete a security awareness training course on defense against social engineering attacks.
What is the Difference Between the Application Penetration Test and Network Penetration Test?
Unlike what you might expect, the difference between these two forms of penetration testing is significant. Network penetration testing focuses on network architecture, deployment, and maintenance.
This also concerns the programs it hosts. A web application penetration test focuses more on applications and their core security, such as coding vulnerabilities and vulnerable software usage.
What is the Difference Between PCI DSS Vulnerability Scanning and PCI DSS Penetration Testing?
A vulnerability scan is usually wholly automated and provides limited verification of the vulnerabilities found. Simultaneously, a penetration test goes a step further and tries to exploit the vulnerabilities using manual methods.
See Also: What Are the Requirements for PCI DSS Vulnerability Scanning?
This removes false positives from the automated scanning process of the test and shows the real-world danger to the business and what a hacker can potentially do while targeting a company’s systems. Make sure the penetration testing provider requires manual monitoring and inspection rather than just an automated test.
Which Type of Penetration Test is Best for Your Organization?
To start with, choose the type of penetration testing that focuses on the controls you are most involved in:
- A web application or API = Application penetration test
- Infrastructure = network penetration test (and wireless penetration test if you are using it)
- People = Social engineering test.
If your goal is to achieve PCI compliance, you should consider taking a network test and an application penetration test.
| Annual Pentest | Quarterly Wireless Pentest | Annual Vulnerability Scan |
| Requirement 11.3 | Requirement 11.1 | Requirement 6.6 |
| RoC | RoC | RoC |
| SAQ D | SAQ D | SAQ D |
| SAQ C | SAQ A-EP | |
| SAQ C-VT | ||
| SAQ B-IP | ||
| SAQ A-EP |
If you know ​​the type of test you want and how detailed the tests should be, you need to determine from what perspective you want the test done.
By making these decisions carefully, you can choose a penetration test that suits your company’s needs and budget.
Understanding Penetration Test Results
Results of a penetration test may vary; however, all high-risk vulnerabilities must be resolved, either by full mitigation or compensatory controls, at least until the system is deemed compliant.
Risk ratings are based on many variables from an industry standard such as CVSS, including effects, probability, ease of use, and ranking.
Therefore, existing mechanisms should have an impact on reducing the risk level. Although classified as low risk in the penetration test report, many issues affecting the specific PCI DSS requirement may require correction before compliance.
As with all other documents submitted to the Qualified Security Assessor (QSA), the test report should be used as evidence. In some instances, the additional information submitted for inclusion in the report may be sufficient to correct the identified vulnerability without the need for other infrastructure or code changes.
Ultimately, the final decision as to whether an organization will be approved is up to QSA. It is their duty to determine if sufficient security to mitigate risk is possible.
How Can You Evaluate PCI DSS Penetration Testing Providers?
Not all penetration testing providers provide equal quality testing. Some are just vulnerability scans. Most service providers offer penetration testing, but not all are equivalent. When selecting your provider, you might want to keep a few things in mind. Here are a few questions you can ask them before signing the contract:
- Does the penetration tester have experience with your environment?
- Does it have relevant certificates?
- Is there positive feedback from other customers?
- What are their experiences with safety standards?
- How long have they been testing for penetration?
Remember, a penetration test will help you identify potential security issues and prevent your company from being compromised. Therefore, when choosing the penetration testing company, you need to do a detailed pre-selection.
What are the Advantages of Penetration Testing for PCI DSS Compliance?
Regular penetration tests are crucial to the overall safety posture. It is a vital activity that provides organizations with security diagnosis of real-world threats. As part of a routine security audit, penetration assessments help you identify vulnerabilities in your protection before a hacker exploits vulnerabilities and offers remediation measures.
The benefits of conducting regular penetration tests far outweigh the disadvantages. The main advantages of standard penetration tests are:
- Conducting regular penetration testing allows the company to determine the protection of its web application, internal and external networks.
- Allows you to protect the target system from an outside person’s point of view with only access to untrusted networks.
- Defends the company from an insider with access to trusted networks, not from the cardholder’s environment.
- Protects the company against vulnerabilities in applications such as cross-site scripting and SQL injection.
- Tests and shows that any control and segmentation method is operational and efficient.
- PCI DSS compliance requires regular penetration testing, internal and external vulnerability scans, especially RoCs (Compliance Reports), and some SAQs (self-assessment questionnaires).
Conclusion
If companies can demonstrate that their approach is sound and that the pentester is independent of the network management team, they can run penetration tests independently with an internal source. If these criteria are not met, a specific third party must be contacted to complete the PCI DSS penetration test.
If an organization decides to ensure that segmentation controls are successful annually (PCI DSS requirement 11.3.4), reviews should be performed by someone utterly independent of CDE monitoring and implementation.
Organizations should also make every effort to give the pentester as much detail as possible. The more the penetration tester has access to the elements, the more value they will extract from the test.
Therefore, the aim is to provide the pentester with cardholder data or system information or as many resources as you can provide. By doing this, penetration testers can contextualize risks and systematically examine sensitive areas within a time-limited testing process.
See Also: PCI SSC Information Supplement: Penetration Testing Guide
