7 September, 2019
Penetration Testing and Vulnerability Scanning for PCI DSS
[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about the new PCI DSS 4.0 requirements, including the key dates for PCI DSS compliance, in our latest blog post now: PCI DSS 4.0 and Penetration Testing – What You Need to Know
Irrespective of the industry, penetration testing and vulnerability scanning exercises help businesses a great deal when it comes to the security of their technical infrastructure. For businesses processing sensitive data such as credit card data, such practices have more relevance than ever. The foundation for this article was laid by one of our previous articles where we discussed PCI DSS and penetration testing vendors. In this article, we will be thoroughly discussing the penetration testing and vulnerability scanning requirements for PCI DSS. For this, Requirements 11.1, 11.2, 11.3, and 126.96.36.199 of the latest version of PCI DSS released in May 2018 in, i.e., PCI DSS v3.2.1 are relevant.
Requirement 11.1 – Wireless Access Points
Requirement 11.1 deals with Wireless Access Points (WAPs) and it requires the following specific requirements to be implemented for PCI DSS compliance –
- Implement appropriate processes for testing the presence of wireless access points (802.11).
- Detect and identify all authorized and unauthorized wireless access points every quarter.
- Maintain an inventory of authorized wireless access points with document business justification.
- Implement an incident response procedure for events when unauthorized access points are detected.
As per the prescribed frequency, these activities must be performed quarterly.
Requirement 11.2 – Vulnerability Scans
Specific requirements given under Requirement 11.2 must be performed quarterly or after a significant change in the network has taken place. The phrase “significant change” includes new system component installations, network topology changes, firewall rule modifications, product upgrades, etc. This requirement covers internal as well as external network scans to be performed by an ASV. Specific requirements are as follows –
- Run internal and external network vulnerability scans.
- Perform internal vulnerability scans and address vulnerabilities and perform rescans to verify that all high-risk vulnerabilities are resolved.
- Perform external vulnerability scans via an Approved Scanning Vendor (ASV) approved by the PCI Security Standards Council (PCI SSC) and perform rescans as needed.
- Perform internal and external scans, and rescans, as needed after any significant changes are made.
Requirement 11.3 – Penetration Testing
Specific requirements given under Requirement 11.3 require a covered entity to implement a penetration testing methodology which must have the following features
- Industry-accepted penetration testing approaches, such as NIST SP800-115.
- Coverage for the entire CDE perimeter and critical systems.
- Internal as well as external testing.
- Testing to validate segmentation and scope-reduction controls.
- Application-layer penetration tests to include, at a minimum, vulnerabilities given under Requirement 6.5
- Network-layer penetration tests to include components supporting network functions as well as OS.
- Review and consideration of threats and vulnerabilities experienced in the last 12 months.
- Retention of penetration testing results and remediation activities results
Here, Requirement 6.5 lists the following vulnerabilities –
- Injection flaws – SQL, OS Command, LDAP, XPath, and other injection flaws
- Buffer overflows
- Insecure cryptographic storage
- Insecure communications
- Improper error handling
- Cross-site Scripting (XSS)
- Improper access control – insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions
- Cross-site request forgery (CSRF)
- Broken authentication and session management
Other specific requirements are –
- Perform external penetration testing.
- Perform Internal penetration testing.
- Correct exploitable vulnerabilities found during penetration tests and verify the corrections.
- Perform penetration tests to verify that segmentation controls are operational.
The prescribed frequency under this Requirement is annually or after significant infrastructure or application upgrade, or modification is carried out. OS upgrade, the addition of a new sub-network to the environment, addition of a web server to the environment, etc. are some of the activities which are considered as significant infrastructure or application upgrade or modification.
Additional Requirement for Service Providers!
Requirement 188.8.131.52 contains an additional requirement that needs to be fulfilled by the service providers. Service providers shall confirm their PCI DSS scope by performing penetration testing exercises on the segmentation controls. These exercises must be performed half-yearly or after any changes to the segmentation controls are made.