PCI-DSS Penetration Test Requirements
By Paul Brenneker
Those who have had involvement with PCI Data Security Standards (PCI-DSS) will know that Penetration Testing has been mandatory since the PCI standard was first issued. However, since the introduction of PCI-DSS v3.0 SRM has received a number of queries from across a multitude of industry sectors with regard to what the new Penetration Testing requirements actually mean for merchants and/or service providers.
This article aims to provide clarity and subsequently let you know where SRM can help you in terms of meeting the new requirements as well as any other PCI-DSS assessment or Information Security related needs you may have.
Penetration testing is required (for PCI compliance) at least annually as a matter of course. This should be conducted at both network and application levels. It is worth noting that further penetration testing should also be initiated when a significant change to either the network infrastructure or application layer is introduced. The PCI Penetration Testing Guidance document describes a significant change as anything that could ‘impact the security of the network or allow access to cardholder data’.
So what has changed recently and what do you need to do as a PCI compliant business?
Prior to PCI-DSS v3.1 there was still a requirement to perform network penetration testing if your business fell into the relevant category. However, requirement 11.3 has now been updated to mandate that you, the PCI-DSS compliant (or aiming for compliance) business, must now document and implement a methodology for your chosen Penetration Testing provider to follow. These changes became mandatory on the 30th June 2015.
The new changes mandate that your implemented methodology meets the following:
• It must be based upon industry-accepted penetration testing approaches;
• Includes coverage for your entire Cardholder Data Environment (CDE) perimeter and critical systems;
• Includes testing to validate any segmentation and scope-reduction controls as part of your compliance audit;
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5;
• Defines network-layer penetration tests to include components that support your network functions as well as operating systems;
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months; and
• Specifies retention of penetration testing results and remediation activities results.
By including the above into a documented methodology you make sure that your Penetration Testing provider is fully aware of the approach they must take in order to aide you in maintaining or obtaining your all-important PCI-DSS compliant status. This ensures your network and the cardholder data flows which it facilitates are appropriately assessed against the ever changing threat landscape.
The most common pitfalls are badly-defined scope or the test missing a critical element. It is also important to ensure that any devices or applications that are used to separate networks provide access to data are properly tested, so that segmentation is checked properly and access control systems are not able to be bypassed in any way using backdoor admin or system level access commands.
If Penetration Testing is performed correctly, it will provide confidence that the PCI environment is accurately defined and show the boundaries are effective. This will give assurance that security weaknesses from the perimeter of the Cardholder Data environment are identified and managed correctly and weaknesses from outside the CDE are also prevented from impacting the secure zone.
SRM is able to conduct your Penetration Test to facilitate your PCI compliance objectives. In addition to this service a documented methodology can be created for your records which subsequently meets the updated PCI requirement with regards to documenting the methodology your penetration testing company must take.
The SRM team also includes a number of experienced PCI-QSAs who are able to review the created methodology for appropriateness in relation to the information you have provided as part of the Penetration Testing process.