Social Engineering Testing and PCI

The term social engineering refers to the practice of attempting to compromise a system through the manipulation of those who use it. The PCI DSS standard requires penetration testing of the in-scope environment and many industry standard methods of testing include social engineering. The testing must have an approach that “considers the threats and vulnerabilities experienced by merchants in the last 12 months.” This, therefore, may partly include attempts to introduce malware into the environment through social engineering attacks.

Social Engineering Testing

SE tests are a useful method of calculating the risks posed by the failure of those who use the system to follow the correct policies and procedures. There is no universal approach to SE testing and tests should instead be tailored to suit the business. This is achieved by taking into account the size and scale of the business and how well established its security awareness program is. Tests can range from low-tech testing such as convincing an employee to hold open a door to more remote interactions such as persuading someone to open a link or attachment within an e-mail.

Security Awareness

Although PCI DSS does not necessitate the use of SE testing, a business can include this in their penetration testing practice to assess the effectiveness of their security awareness program on an ongoing basis. The regularity of these tests would be decided by the entity when setting out its security awareness program. Security awareness re-education may be required in cases where end-users fail social engineering tests. The end goal being a reduction in the number of employees whose decisions leave a business vulnerable to attack. For further details on setting up a strong and successful security awareness program, contact KRYPSYS.

Alternative to SE Testing

SE tests may not be appropriate or provide a meaningful result in all situations. Although social engineering testing is not a requirement of PCI DSS, organisations may wish to document the reason for foregoing a social engineering test and including applicable documentation with the internal and external penetration test reports. This would be advised, if social engineering attacks were encountered in the last 12 months.

Leave a comment