PCI DSS 4.0: Why Pen Testing is Key for Compliance
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Eren Cihangir of Outpost24 makes the argument for why pen testing will be the key to meeting PCI DSS 4.0 Compliance.
In a world where cyber-attacks are rife, and data breaches are an unfortunate daily occurrence, we’ve witnessed the disastrous impact when credit card information is breached. In 2017, the Equifax data breach exposed over 209,000 credit card details and impacted over 147 million people. The aftermath resulted in Equifax settling with regulators for $700 million. In 2019, Capital One (the fifth largest credit card issuer in the US) suffered a hack that compromised 106 million customers across the US and Canada. If we look more recently, HRM Enterprises, which owns the US’s largest independent hardware store, had 40,000 credit cards stolen because of a cyber-attack.
To ensure that all merchants, credit card providers, and services that process, store, or transfer credit card data keep such information secure, they must adhere to the Payment Card Industry Data Security Standard (PCI DSS). This sets out the cybersecurity and privacy requirements to ensure these organizations maintain a safe environment. The compliance requirements are regularly being updated, with PCI version 4.0 announced in March 2022, with a deadline of March 31, 2024, for all organizations to be compliant.
Yet, when examining the new version of this critical standard, penetration testing (pen testing) remains a necessity (under requirement 11), but in what capacity and who must perform this security assessment? Analyzing the new version of the PCI standard, pen testing, and vulnerability scanning are needed to protect payment cardholder data and keep systems secure. Payment card service providers will have to carry out pen test assessments twice a year, with vulnerability scans conducted once a quarter. Moreover, if your organization processes payment card information through business-critical web applications, then these will also need regular tests and scans, especially when these systems undergo significant changes and updates.
So, what are the main differences between a PCI pen test and a PCI vulnerability scan, and what is expected from both?
PCI DSS 4.0: Why Pen Testing is Key for Compliance
PCI Pen Test
This security assessment is designed to unearth and exploit any vulnerabilities discovered in the cardholder data environment (CDE), including the organization’s infrastructure, network, and applications, on a regular basis. This is to test the resilience of the defenses in place and typically, Pen testing is a manual process that can also incorporate automated solutions to locate and trigger the security flaw into operating. An actionable report is then produced based on the findings of the test which detail the vulnerabilities, threats, and risks posed to cardholder data.
PCI Vulnerability Scan
When conducted, a PCI vulnerability scan is an advanced test that produces a report after completion, displaying the most severe vulnerabilities and ranking them in order of importance. With the risk of external IPs and domains being exposed in the CDE, these must be scanned regularly, with PCI DSS demanding that tests be carried out at least four times a year. The tools used to carry out vulnerability scans are largely automated, but these often must be verified manually.
The length of time both assessments take to finish also differs. Vulnerability scans can be completed in a matter of minutes, whereas pen testing can vary between days or weeks depending on the size and scope of the organization’s CDE. Both these tests are integral in reducing the overall attack surface of the CDE and provide security teams visibility on where weaknesses may appear.
With the requirements for PCI DSS readily available, organizations are obliged to define, document, and implement a penetration testing methodology to adhere to a variety of standards, such as:
- Penetration testing provided by industry-accepted solutions.
- Visibility and coverage into the CDE and associated systems.
- Application and network layer pen testing, with documented strategies on how to address the issues found.
- Analysis and recommendations of risks and threats uncovered during the previous 12 months.
- Organizations must keep records of all testing results and remediation activities on file for a year.
Service providers that hold cardholder information must conduct PCI pen tests every six months or when the system has a significant change…but what is meant by this?
Some examples of a significant change that would necessitate a PCI Pen Test include:
- New hardware, software, or networking equipment added to the system.
- If hardware or software is upgraded or replaced.
- When modifications are made that could impact how cardholder data is processed or stored.
- If third-party vendors make changes to their services or processes that help keep the CDE functional.
Always Protect the Customer’s Data to Meet PCI Compliance
While this may have focused on a specific area of PCI, it is critical for all organizations to understand what is expected and to meet compliance before the March 2024 deadline. Pen testing and vulnerability scanning play crucial roles in achieving PCI DSS compliance and are highly effective in reducing vulnerabilities in systems handling sensitive data. With that said, organizations seeking assistance with pen testing or vulnerability scanning must do their due diligence. Firstly, check if the vendor is an Approved Scanning Vendor (ASV). Secondly, the vendor should house a comprehensive suite of services that can continuously assess and analyze the entire network for vulnerabilities.
Lastly, the vendor must be well-equipped to assist the organization in verifying and demonstrating their adherence to PCI DSS standards. This will give you the assurance that you have taken the necessary proactive action to meet the highest standards of data protection.
- PCI DSS 4.0: Why Pen Testing is Key for Compliance - August 23, 2023