The Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure a secure data environment for all companies that process, store or transmit card information — and all merchants meeting these criteria must conduct annual penetration testing to their system to become PCI compliant.
For companies unfamiliar with penetration testing, it can seem complicated. But knowing what the test accomplishes and how to select a penetration tester will help ensure your system is secure.
What is PCI Penetration Testing?
PCI penetration testing is done to determine if and how a malicious user can gain access to resources that affect the security of your cardholder data environment (CDE), which PCI DSS defines as the “people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.”
The scope of a penetration test includes the entire CDE perimeter and any systems associated with its security. This includes the external perimeter (public-facing attack surfaces) and internal (LAN-LAN attack surfaces).
The test simulates an attack situation to identify how far an attacker can infiltrate your systems. The penetration tester will likely attack the system from all sides— meaning, as someone within the company with access to the system and as an outsider — to best uncover vulnerability in your cyber security system.
Your company will be assigned to a specific level for penetration testing, which will establish success criteria and limit the depth of the penetration test. Without setting depth limits, the tester may exceed the boundaries and expectations of the target entity, which can make the testing longer and more costly.
Which level your organization is on is based on the number of transactions you process for each credit card brand you accept. Each credit card company differs in their level definitions and compliance submission requirements, so you may be considered a level 3 company with Visa and a level 4 with American Express.
A breach to your system will also affect which level you’re on. To simplify the process, determine the number of transactions you process per credit card brand and ask your acquirer bank — they’ll have final say over their merchants’ levels and can walk you through everything you need.
Types of PCI Penetration Testing & Result Reports
There are three types of penetration tests: black-box, gray-box and white-box. In a black-box test, you’ll provide no information about the target system to the tester; a gray-box assessment will be conducted with some details; and in a white-box test, you’ll provide the tester with complete details of the network.
White- and gray-box assessments are most common for PCI testing, because they give more accurate results and provide a more comprehensive test of CDE security. They also tend to be quicker and cheaper than black-box testing.
After the test is performed, the penetration tester provides a thorough report identifying potential risk areas, with details about what was tested, how it was tested and what the results are. The test results also include weak spots that were exploited, but may pose a risk to the data environment.
All findings should be ranked according to severity to determine which areas require immediate attention. And if cardholder data is accessed during the test, you’ll be notified so you can take appropriate steps to execute an incident response plan if necessary.
Select a PCI Penetration Tester
Finding the right penetration tester is a crucial step in the validation process. To accurately test the system, the penetration tester must have the same skill and knowledge a hacker would, but should know nothing specific about your system.
For this reason, any qualified third party or internal resource may complete the test as long as they are organizationally independent; they must be entirely separate from the installation and management of the target system.
PCI penetration testers and companies aren’t required to have any certifications, but, because specific knowledge is required to attain these certifications, they can indicate the tester’s skill level.
Common certifications include:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC) Certifications
- Crest Penetration Testing Certifications
- Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) Certification
Aside from looking at certifications, interview the tester to make sure he or she is a good fit for your company and the type of penetration test needed.
A few questions to consider:
- How many years of experience does the penetration tester have?
- How many years has the organization they’re employed by been performing penetration tests?
- Has the penetration tester performed tests against organizations of similar size and scope?
- What experience does the tester have with the technology (operating systems, hardware, web applications, network services, etc.) in the target environment?
You may come across information regarding automated penetration testing services. These can be performed much faster than those performed by a person, but running an automated test won’t satisfy requirements for PCI compliance. These tests don’t accurately assess the risk to your data environment. Any automated tests you run will need to be interpreted by a penetration tester to determine what additional testing is needed.
Ensuring your system is PCI compliant is an important step in protecting your business and customers from a potentially devastating hack. Having a secure CDE is necessary to grow your customer base and gain their loyalty.
Though the PCI compliance process can be complicated, Point-to-Point Encryption (P2PE) technology like Bluefin’s can help merchants simplify their programs. P2PE encrypts card data before it’s transmitted to a merchant’s POS, virtual terminal or payment application. The technology also removes clear-text cardholder data from a merchant’s environment, keeping it away from networks where it could be exposed to malware.
This reduces the scope of PCI requirements needed to be compliant. Bluefin’s PayConex system was the first in North American to be PCI validated, and is one of only 14 validated companies worldwide.
Contact us to learn more about how P2PE technology can help your business with PCI compliance and other ways a multi-layered approach to cyber security can benefit your company.