Cloud Pentesting for PCI DSS Compliance

In the last decade, companies have gradually adopted cloud-based offerings to provide services and manage their operations. The onset of Covid-19 pandemic and the shift to remote work further fueled this adoption. While the cloud offers flexibility, affordability, and enhanced productivity, these same cloud-based resources are at risk of failing basic security and compliance tests.

This is evident from the fact that nearly half of all data breaches occur in the cloud. The average data breach cost in organizations with private clouds is $4.24M, while for organizations with public clouds, the average data breach cost is $5.02M. For organizations with a hybrid cloud model, the average cost is comparatively lower at $3.80M. With the rise in adoption of the cloud, most organizations today have cloud-specific requirements to meet industry standards and government mandates to ensure their cloud environments are compliant and secure. One such popular mandate requires transacting consumer payment data – much of which occurs today in the cloud.

The Need for Data Security Standards in Financial Services

Historically, cyberattacks on the financial services industry have been the most advanced and frequent due to the profit that can be made from theft of personally identifiable information (PII) and related financial data. To combat this, the payment card industry established a council to create the Payment Card Industry’s Data Security Standard (PCI DSS). PCI DSS was established in 2006 to set security standards for companies transacting card payments.

Any organization transacting payments with major credit cards like Visa and Mastercard must comply with PCI DSS. This ensures that companies are routinely demonstrating that they have implemented reasonable security measures to protect the cardholder data environment (CDE) in line with the PCI standards.

Since its inception, PCI DSS has been updated numerous times. Today, PCI DSS v3.2.1 is the current version of the standard that’s required, with the newest update, PCI DSS v4.0, set to be required in March 2025. With v4.0 requirements effective in March 2025, the best time for organizations to start preparing is now, as CDE pentesting and scanning requirements are changing. Ideally, organizations should be working toward PCI DSS v4.0 compliance readiness no later than 2024.

Why is PCI DSS Compliance Important?

PCI DSS is a globally known security standard for the financial services industry. The PCI Security Standards Council (PCI SSC) oversees PCI DSS implementation and is responsible for introducing new standards. This industry-specific standard has been specifically designed to protect the CDE, which includes all IT environments storing payment card data. Entities required to comply with PCI DSS must fulfill the security requirements given in the standard to demonstrate the entire payment ecosystem has a strong security posture.

Like any other standard or regulation, planning for audit readiness is key to avoiding last-minute hassles. As the new 4.0 version of PCI DSS introduces significant changes from the current version 3.2.1, security and compliance teams can get a head start preparing to secure the CDE now. Organizations may need to make new investments to secure the CDE in time to meet requirements in 2025. Teams will also need to conduct penetration testing and vulnerability scanning to ensure the CDE is compliance ready by Fall 2024.

Planning becomes even more crucial considering the evolving market dynamics and security staffing issues. For example, an (ISC)2 report on workforce gap analysis found that 70% of cybersecurity employees feel that their organization does not have adequate cybersecurity staff. When DevSecOps is understaffed, the priorities shift from proactive remediation to real-time event triage. Despite the criticality of an update like PCI DSS v4.0, organizational preparedness to meet the new compliance requirements may be stalled or add workflow friction due to stretched-thin security and development teams.

Furthermore, DevSecOps teams will need to work closely with cloud security teams to address PCI DSS 4.0 compliance specifically per the Shared Responsibility Model.

What is the Shared Responsibility Model in Cloud Security?

Cloud computing facilitates the utilization of remotely located internet-based servers for data storage and processing. These remotely located servers are referred to as “the cloud.” Cloud resources essentially replace local servers or personal computers previously run on-premises to support the IT environment. As companies increasingly rely on the cloud, unique requirements are introduced for cloud security and compliance initiatives. Cloud service providers (CSPs) usually define a set of security standards required for using their cloud infrastructures. These standards include customer contracts that mandate customers to implement the necessary security standards.

One such standard is the shared responsibility model. This model defines how security responsibilities will be shared between the cloud service provider and the customer. For example, the cloud service provider will maintain and secure the cloud infrastructure. On the other hand, the customer will be responsible for application security, data security, and connected endpoints. Along with fulfilling the cloud service provider’s security requirements, a customer is responsible for securing data and systems in their remote cloud servers in line with their governance, risk, and compliance (GRC) requirements.

CSPs, such as Google Cloud, Azure, and AWS, usually require their own shared responsibility models be followed by their respective customers. Regardless of the CSP, the premise of the shared responsibility model is the same: it outlines the security functions that fall under the CSP’s responsibility compared to those that fall under their customer’s responsibility. The security of regulated data, like that required by the PCI DSS, falls under the customer’s responsibility.

Therefore, to protect regulated data, organizations manage their parts of the shared responsibility model and enforce cloud compliance with standards like PCI DSS by employing cloud security engineers and building cloud security teams. These teams focus on protecting the organization from cloud-based attacks and threats using cloud security platforms, pentesting tools, and managed services. Security measures such as cloud encryption, secure access controls, cloud configuration are within scope, along with cloud-based functional management of vulnerability management, continuous risk monitoring, threat detection, and incident response.

Cloud security engineers and security professionals can work with multiple teams across an organization to monitor threats and risks related to PCI DSS compliance. When third-party penetration tests are required, dedicated cloud teams can help in scoping the pentest and assisting the DevOps team in remediation. Once the pentest is completed, cloud engineers can be given the responsibility to retest the newly remediated patches and fix vulnerabilities identified in the pentest.

Cloud Pentesting Requirements for PCI DSS

Requirement 11.4.1 of PCI DSS v4.0 requires companies to define, document, and implement a penetration testing methodology. This methodology must cover industry-accepted penetration testing approaches, including testing from inside and outside the network. The pentest scope should cover the entire CDE (Cardholder Data Environment) perimeter and critical systems, along with validation of segmentation and scope-reduction controls, including those hosted in the cloud.

Specifically, cloud pentesting and cloud vulnerability scanning are needed to fulfill the following PCI DSS requirements:

• • Requirement 11.4.1 specifies two types of penetration testing exercises: application-layer and network-layer pentests. Application-layer pentests, at minimum, should cover the vulnerabilities listed in Requirement 6.2.4. For network-layer pentests, the scope must include all components that support network functions and operating systems.
  • Requirements 11.4.2 and 11.4.3 specify that internal and external pentests must be conducted once every 12 months or after any significant infrastructure or application upgrade or change. The pentest team can be external, but they must be qualified. However, they need not be a Qualified Security Assessor (QSA) or Approved Security Vendor (ASV).
  • Requirement 11.4.5 elaborates on conducting pentests in cases where segmentation isolates CDE from other networks.

According to the PCI SSC information supplement on cloud computing, companies must be careful while defining the scope of penetration testing exercises. They must understand their cloud provider’s Shared Responsibility Model. The pentesting team should have cloud security professionals who can understand the cloud deployment model for performing appropriate testing exercises. This is ideally performed by a trusted third-party provider with expertise in providing cloud penetration testing services. They can help the company with validated evidence that proves all required penetration tests and vulnerability scans have been performed, including tests and scans required for cloud environments.

One of the main reasons to outsource to an external pentesting provider is to assist with accurate identification of any cloud resources that may be used by a physical system that requires testing. One physical system may access multi-cloud environments with different shared responsibility models for dedicated hardware, cloud applications, cloud configurations, hypervisor, guest OS, etc. Therefore, to comprehend their full responsibilities for cloud security and cloud compliance, it’s recommended to work with certified cloud experts who have experience and tools to conduct pentests according to each cloud’s penetration testing requirements.

Audit Readiness in the Cloud for PCI DSS 4.0

With PCI DSS v4.0 around the corner, companies transacting and storing regulated data need reliable partners to help them prepare their teams, systems, and internal policies to ensure that PCI DSS compliance does not miss a beat in 2025. Most modern companies store some of their financial transaction data in the cloud. Some companies even have multi-cloud and hybrid environments to support their business operations. Working with a trusted offensive security provider now can help augment staffing issues and ensure timelines are met without adding workflow friction.

Organizations looking to fulfill PCI DSS pentesting requirements, Pen Testing as a Service (PTaaS) allows companies to test early and often – giving Cloud Security, DevOps, and SOC teams ample runway to prepare the cloud environment for PCI DSS compliance. BreachLock’s full-stack suite of penetration testing services offers comprehensive cloud penetration testing to ensure your security standards are met, and your compliance obligations are tested thoroughly. Knowing the clock is ticking on PCI DSS 4.0 preparedness, our experts are ready to support your cloud penetration testing and vulnerability scanning. Schedule a discovery call to see how BreachLock PTaaS can work for you.