PCI Penetration Testing – How to Define The Scope

Cardholder Data Environment

The PCI DSS defines the cardholder data environment (CDE) as follows: The people, the processes and the technology which store, process, or transmit cardholder data or sensitive authentication data.

Scope of PCI Penetration Testing

The scope of a penetration test according to PCI DSS Requirement 11.3 must include the entire CDE perimeter and any critical systems that may impact the security of the CDE. Both the external perimeter (i.e. public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces) should be considered.

External Scope

The scope of an external penetration test is defined as the exposed external perimeter of the CDE and critical systems connected or accessible via public network infrastructures. The test should assess any unique means of access to the scope from the public networks. This should include services that have access restricted to individual external IP addresses.

Internal PCI Scope

The scope of the internal penetration test is defined as the internal perimeter of the CDE from the perspective of any out-of-scope LAN segment that has access to a unique type of attack on the CDE perimeter. Any systems that may impact the security of the CDE should be included in the scope.

Network and Application Layer Testing

NB Testing should include both application-layer and network-layer assessments. External penetration tests will also include remote access vectors such as dial-up and VPN connections.

Test Segmentation

If network segmentation controls have been implemented to separate environments, then segmentation checks should be performed from any non-CDE environment that is intended to be segmented from the CDE perimeter. The purpose of this assessment is to validate the effectiveness of the segmentation controls separating the non-CDE environments from the CDE and ensure the controls are working as intended.

Out of Scope

To be considered out of scope for PCI DSS, a system component must be isolated (segmented) from the CDE, so that should the out-of-scope system component be compromised, it could not impact the security of the CDE. The penetration test may, therefore, include systems not directly related to the processing, transmission or storage of cardholder data to ensure these assets, if compromised, could not impact the security of the CDE.

It is not a requirement to test servers inside the CDE from within the CDE, and testing only from within the CDE perimeter will not satisfy the requirement of PCI DSS. However, if access to the CDE is obtained as a result of the testing, the penetration tester may opt to continue exploring inside the network and pursue the attack against other systems within the CDE. He/she may also include testing any data-loss prevention controls that are in place.

Critical Systems

The term “critical systems” is used in the PCI DSS to refer to systems that are involved in the processing or protection of cardholder data. PCI DSS provides examples of critical systems that may be impacted by vulnerabilities including:-

  • Security systems
  • Public-facing devices and systems,
  • Databases
  • Other systems that store, process, or transmit cardholder data

For the purposes of a penetration test, however, there may be additional systems outside the CDE boundaries that could affect the security of the CDE. These systems should also be considered as critical systems. Common examples of critical systems relevant to a penetration test might include: security systems (firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). Similarly, any assets utilised by privileged account users to support and manage the CDE should be considered.

It’s really that simple. However, if you would like help in scoping and executing your PCI penetration testing:
Please feel free to contact us on 0845 474 3031

Leave a comment