[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about the new PCI DSS 4.0 requirements, including the key dates for PCI DSS compliance, in our latest blog post now: PCI DSS 4.0 and Penetration Testing – What You Need to Know
Cyber attacks are getting increasingly sophisticated and complex. An organization cannot sit back and wait for a security incident to occur before taking any action. Modern-day organizations need to adopt proactive as well as reactive measures to minimize cybersecurity risks comprehensively. Penetration testing is one such proactive measure that helps an organization in identifying vulnerabilities and the extent of damages if they are exploited successfully. Over the years, many regulations and standards started prescribing penetration testing or security testing as a must exercise. Similarly, Requirement 11.3 of PCI DSS states that organizations should:
- Implement a penetration testing methodology that includes external as well as internal tests.
- These tests should be performed annually or after any significant upgrade or modification.
- If you are using network segmentation to reduce PCI DSS scope, annual penetration tests should be conducted to verify whether segmentation methods are operational and effective.
Essentials of an ideal penetration testing methodology
According to implementation guidance available for PCI DSS, an ideal penetration testing methodology should have the following components:
- The scope of penetration tests covers the cardholder data environment (CDE) and associated critical systems.
- It includes external as well as internal penetration tests.
- Penetration tests are performed at the application layer as well as the network layer.
- It is based on industry-accepted approaches such as NIST SP 800-115.
- It thoroughly reviews and covers vulnerabilities identified in the last twelve months.
- Reports contain information about the remediation of vulnerabilities.
Choosing a PCI DSS penetration testing partner: The big question
An organization can assign the responsibility of conducting penetration tests to a qualified internal resource or external partners. One prerequisite requirement here is that the party conducting penetration tests should be organizationally independent. This means that the penetration tester shall be different from the target system’s management team. For example, a vendor cannot perform penetration tests on your system if they were a part of the installation and maintenance of systems in your CDE.
While certifications are not always a mandatory requirement, certifications indicate the skill level and competence of a vendor’s penetration testing team. Some of the most common penetration testing certifications are:
- Offensive Security Certified Professional (OSCP)
- CREST penetration testing certifications
- Global Information Assurance Certification (GIAC) certifications
- Communication Electronic Security Group (CESG) IT Health Check Service (CHECK)
- Certified Ethical Hacker (CEH)
- Should a vendor have previous penetration testing experience?
Certifications cannot fulfill the skills and knowledge that are gained over a period of experience. Hence, an organization must perform due diligence to check whether a prospective vendor has prior experience or not. Further, it may be helpful to see if a vendor has previously worked with an organization in your industry segmentation. Some of the questions that you can ask are:
- How many years of experience does the vendor have?
- What are the qualifications of the vendor’s security team?
- Can the vendor provide any references from their existing or previous clients?
- Has the vendor’s team performed penetration tests with similar scope?
- Is the vendor PCI DSS certified?
- Does the vendor also provide PCI ASV scans?
- What is the vendor’s methodology for conducting penetration tests?
- The necessity of due diligence
There is a definite possibility that your organization would have some process to perform vendor assessments or due diligence before availing of a service. If there is a form for due diligence, you must send it to a prospective PCI DSS penetration testing partner for establishing their credibility. Some of the areas that your due diligence should cover are:
- Legal information of the company (Registration, registration number, registered address)
- Years in business.
- Contact details of the authorized representative.
- Types of service they provide.
- Industry associations they are a part of.
- Applicable legal and regulatory requirements.
- Their compliance status with applicable legal and regulatory requirements.
- Service level agreements (SLAs) specifics.
- Cyber insurance policy details.
- Security practices.
- Business continuity and incident response practices
We are aware of the fact that selecting a vendor can often be a challenging decision. At the end of the day, you should opt for a vendor that is better able to understand threats your organization is facing and has the appropriate skills and experience to help you in dealing with these threats. Did you know that BreachLock’s cloud platform combines human intelligence and machine power to perform PCI DSS penetration tests? Get in touch with our team today!