Companies that handle any kind of personal information for their customers are required to comply with the Payment Card Industry Data Security Standard. Protection of the cardholder data is of utmost importance.
Of all the PCI DSS prescriptive elements, penetrative testing has proven to be a problem hard to solve for many companies. Companies are required to come up with penetration testing methods that show, without doubt, that their safety controls sufficiently protect their cardholder data. This way, the companies will be PCI DSS compliant.
The primary components of penetrative testing
Basically, there are types of pen testing for PCI DSS:
- Black-box assessments
- These do not provide any information before the testing has commenced
- White-box assessments
- These usually allow for penetration testing with network and application details
- Grey-box assessments
- These incorporate partial information about the target systems
Both the white-box or grey-box assessments give the companies a better understanding of the data environment and streamline the testing process.
Is a penetration test any different from a vulnerability scan?
A typical vulnerability scan is intended to identify, rank and report any issues within the system that may put the it at risk. A company must conduct automated vulnerability scans whenever they make changes to their data environment. The results from these scans are then followed up manually.
On the other hand, penetration testing is aimed at exploiting any vulnerability within the system by looking for gaps that could lead to potential security threats.
Penetrative testing is an active process that entails trying to break a system while vulnerability scanning is a proactive process that entails passively reviewing a system’s landscape for any problems.
How can a company determine the scope of their CDE?
CDE is an abbreviation for cardholder data environment and it can be defined as a system that processes, stores and transmits any kind of sensitive authentication data. It’s for this reason that all companies must take appropriate steps to determine the scope for PCI compliance.
Some aspects of the CDE perimeter that companies should consider include:
- The payment processors should have unlimited access to public networks as well as external IP addresses
- The company should conduct tests that incorporate both application and network assessments to get an overview of the internal systems that have access to the information
Companies whose information is segmented are advised to test the systems that are deemed outside the CDE to make sure that no cross-contamination exists. This is the only way they can be sure that their segmentation controls are effective.
Systems that are deemed “out of scope” should also be secure enough such that their compromise does not, in any way, affect the cardholder data.
Definition of a critical system
These systems are those involved in the processing or protecting a cardholder’s data, its storage, and transmission. Examples of critical systems are security systems and public-facing devices.
With regard to penetration testing, critical systems can be defined as any system that incorporates various technologies to manage and support CDE. These technologies include firewalls, authentication servers, e-commerce redirection servers, and intrusion-detection systems/intrusion-prevention systems.
The difference between application-layer and network-layer testing
Most companies use applications and software as a means of processing payment. These are really prone to attack from third parties. Hackers take advantage of any vulnerability in the application layer. Testing at the application-layer level tries to break the software or application for vulnerability.
Network layer testing seeks to identify vulnerability on devices that are used in the company’s data environment such as routers, firewalls, and switches. Examples of network layer weaknesses include default passwords, unpatched systems, and misconfigured devices.
What application-layer and network-layer tests are required by PCI DSS?
The standards set by PCI DSS require that companies test their web applications, authentication, and PA-DSS compliance applications.
Penetration testing evaluates employee user controls and cardholder customer controls. Reviewing authentication ensures that both the workforce and the customers access the specific data that they’re supposed to.