PCI Pen Test Requirements Can Cause Confusion

Business IT Teams will almost certainly be aware of the importance of finding security vulnerabilities within the company’s networks and applications, and will probably be aware that they should carry out a network penetration test to help them comply with the requirements of PCI DSS. Understandably many small and medium sized companies will want to find the least expensive and quickest way to comply. One problem, however, is that some companies may be surprised to find that the service they have paid for isn’t quite what they thought it was. This is because PCI DSS is explicit in its requirement that a penetration test needs to be carried out, but is much more vague when explaining what methods are appropriate.

Some of the issue lies within the wording of the original standard, which leads companies believe that an automated penetration test is sufficient. They may not, however, be aware that PCI DSS 11.3 calls for penetration testing over and above the vulnerability assessments required by PCI DSS Requirement 11.2. The vulnerability assessments merely identify and report on potential vulnerabilities. A penetration test, on the other hand, verifies the vulnerabilities by attempting to exploit them in order to determine whether unauthorised access is actually possible. Penetration testing would need to cover both network and application layer testing and should include internal and external testing.

According to 11.3, a businesses should carry out penetration testing at least annually and following any significant change to infrastructure or applications (Inc. operating system, network configuration and web infrastructure). These tests should include; 11.3.1 Network-layer penetration tests and 11.3.2 Application-layer penetration tests.

Many businesses and compliance professional struggled to get to grips with the implications relating to accountability with the merchant banks that used their services. To help, the PCI Council has since released additional information on the penetration testing requirements which aim to clarify the procedures and requirements of PCI DSS 11.3.

So, what are the technical requirements of PCI DSS 11.3? PCI DSS 11.3 requires that organisations perform annual penetration tests that evaluate the network and application layers and include both internal and external testing that must include all systems and networks within the cardholder data environment (CDE). This means that network segmentation is crucial. A merchant that has followed the best advice of PCI DSS experts and defined the scope of their CDE as narrowly as possible, will likely be in good shape when it comes to penetration testing.

Another question that needs clarification is, whether the penetration test needs to be carried out by a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV). The short answer is; no. Companies are not required to use a QSA or ASV to carry out their penetration tests. Furthermore, they do not need to hire someone external to the company to perform the tests. It’s completely acceptable to use internal resources with the caveat that they are experienced penetration testers. In other words, someone who has performed penetration tests professionally previously. They should be organisationally separate from the person or department that manages the cardholder data environment.

In practice this means that if a business’s information security specialists have been involved in the management of the cardholder security, and manage the firewall and other controls, then they should not perform the penetration tests. Alternatively, if the company internal audit staff are technically competent and willing to carry out the testing, they would be sufficiently independent to fulfil the requirement.

When considering how often penetration tests should be performed the interpretation of ‘significant’ change to the environment can cause confusion. The definition of significant is left to the discretion of the individual interpreting the standard. Typically, adding a new user account would not normally be regarded as a significant change, but adding a new web server would clearly be grounds for additional penetration testing. Since this remains a grey area of PCI DSS, we would always advise caution and perform additional penetration testing in most instances, if in doubt.

If you need help with PCI compliance, penetration testing or web security solutions, please contact Krypsys on 0845 474 3031 or [email protected].

Leave a comment