What exactly are the requirements of Payment Card Industry Data Security Standards (PCI DSS)?

Most businesses will be aware of the vital importance of spotting security vulnerabilities within their network and applications, and many will also be aware that they will need to carry out a network penetration test to help them comply with the Payment Card Industry Data Security Standard (PCIDSS) requirements. Understandably many SMBs will look to find the cheapest and quickest way to comply with the required standards. However, some businesses might be surprised to learn that the service they are paying for isn’t necessarily what they think it is. PCI DSS is explicit in its requirement that a penetration test has to be performed, but it is rather vague when it comes to explaining what methods need to be employed when performing testing.

Much of the fault lies with the wording of the original standard. Many companies believe that an automated penetration test will suffice, however they aren’t necessarily aware that PCI DSS 11.3 calls for penetration testing over and above the external an internal vulnerability assessments required by PCI DSS Requirement 11.2. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.

The original wording of Requirement 11.3 reads:

(Businesses must) Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:

  • 11.3.1 Network-layer penetration tests
  • 11.3.2 Application-layer penetration tests.

The standard unsurprisingly caused some confusion amongst compliance professionals: they struggled to understand the ramifications of accountability with the merchant banks that used their services. Fortunately the PCI Council has since released supplementary information on the penetration testing requirements which it hopes will clarify the procedures and requirements of PCI DSS 11.3 for the compliance industry.

So, what are the requirements of PCI DSS 11.3?

Technical Requirements:

PCI DSS 11.3 requires that organizations perform annual penetration tests that:

Evaluate both the network and application layers and include both internal and external testing. If that still sounds a little vague, then there is further clarification about exactly what is included in the penetration test’s scope. The scope of PCI-required penetration tests must include all systems and networks within the cardholder data environment.  This is where network segmentation is critical. A business that has followed the advice of PCI DSS experts and narrowly defined the scope of their cardholder data environment will find that they will be in good shape when it comes time to perform your penetration test.

Does the penetration test have to be carried out by a dedicated compliance professional?

The short answer to that is, no. Businesses do not need to use a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) to perform their penetration tests.  In fact, they don’t even need to hire someone to perform the tests. It’s perfectly acceptable to use internal resources.  However, there is a caveat to that as you would expect. Businesses must use experienced penetration testers, that is, someone who has performed penetration tests professionally in the past.  Moreover, they should be working at arm’s distance and must be organizationally separate from the individuals managing the cardholder environment.

What this actually means is that if a business’ information security staff are actively involved in the management of the cardholder network, and manage the firewall, intrusion detection system, or participate in the design of the architecture, then they’re disqualified from performing the penetration tests.  However, if an organization has an internal audit staff who are qualified and willing to take on the assignment then that is acceptable, as they will naturally meet the requirements for independence.

How often should penetration tests be performed?

PCI DSS requires that you perform penetration tests at least once a year. On top of that businesses must also perform tests any time they make a “significant” change to the environment.  The definition of “significant” is left up to the discretion of the individual interpreting the standard: adding a new user account, for example, would not be a significant change, whereas adding a new web server would clearly merit penetration testing.  Unfortunately this is still one of the grey areas of PCI DSS, so Krypsys would always advise that it is better to err on the side of caution and perform additional penetration testing in most instances.

If your organisation needs help with security compliance, penetration testing or web security solutions, please contact Krypsys on 01273 044 072 or [email protected].