It is important for all company who use credit card as their payment to comply with PCI DSS. Especially since this standard is design to protect the cardholder’s data which is very sensitive and private.
Understanding PCI DSS for Penetration Testing
PCI DSS for penetration testing is done by simulating the attacks on system and network to test and see the security. It is done to find vulnerabilities that can be abused by hackers which can cause data breaches that is very dangerous for the company.
The penetration test is done manually by expert pentester so it can go deeper than using vulnerability scan tools to do automatic scan. The tester will be looking specifically for issues that could not be identify by automatic scanning tools and try to exploit the vulnerabilities that they found.
That way, they can learn about the risk and impact which then will be data to be used to create solution to mitigate the risk which can help make the system and network more secure. this test is actually one of the compliment requirements that need to be done regularly to test the protection process and system as well as checking the internal and external system.
The test itself should be done based on CDE environment as well as any other structure that might have effect CDE protection. If the system is isolated from the other environment that is used to store the cardholder’s data then it is out of scope.
Your company can try to isolate the network by using strict firewall that can help to limit the test impact. By doing this method, it can help to eliminate the false positives on the very first stage as well as reducing the cost of penetration test since the test is smaller.
PCI DSS Requirements
PCI SSC create technical and operational requirements that your company need to fulfill to protect the cardholder data. The requirements that must be implement by your company to comply with PCI DSS are as follows:
- Installing and maintaining firewall with correct configuration that can be used to protect the cardholder’s data.
- You cannot use defaults that are supplied by vendors for passwords used on the system as well as various security parameters implement in the system.
- You need to protect the cardholder’s data that are stored in your system.
- You need to implement encryption when transmitting the cardholder’s data across public or open networks.
- You need to implement anti-virus program and software as well as doing the regular update on them.
- You need to develop as well as maintaining secure application and system.
- You need to implement restrict access for the cardholder’s data by using need to know basis.
- You need to use unique ID which assign to individual that has computer access.
- You need to implement restrict access physically for the cardholder’s data.
- You need to monitoring and tracking all of the access to the cardholder’s data and network resources.
- You need to do regular test on the security of the process and system.
- You need to maintain policy which created to addressing information security of all personnel.
Why Your Company Should Do Penetration Test?
Most of the system planning, creation and maintenance and done by employee that have little or even those that do not have professional experience in security. Meanwhile the penetration test itself is done by security expert.
Those experts already received professional training to identify and detect problem in your system. Thus, the report that they create will help you to fix any security issue that they find before real attack happened and uses the vulnerabilities.
Furthermore, according to PCI DSS you need to do security assessment as well as segmentation test regularly once every 6 months to comply with the standard. You should also do additional control review whenever you made significant change into your system.
That is why, it is important for your company to do the penetration test as it helps to comply with the regulation as well as help to strengthen the network.
Types of Penetration Test That You Can Use
The penetration test is done to the system that you choose to find vulnerabilities. Meanwhile, the vulnerabilities itself can come from incorrect or inadequate design, unknown or known software and hardware defects as well as deficiencies in technological or process countermeasure. Here are the types of penetration test that you can use:
Network penetration test
This penetration test is done to identify any security issue inside the workstation, server, and the network service implementation, maintenance and design. This test can be used to find misconfiguration, old OS and software as well as unsafe protocols inside your system.
Segmentation control test
This test is done to find out whether the firewall misconfiguration will allow unauthorized access into the company’s network. This test can be used to find a connection to TCP that is allowed which shouldn’t be allowed, as well as pinging that shouldn’t be allowed.
Application penetration test
Application cannot be developed perfectly thus there is potential vulnerabilities inside the application that your company use. Fail to authenticate the application as well as bad coding may create vulnerabilities in the software that your company use. Thus, this test is done to make sure that there are no vulnerabilities in the application that your company use.
Furthermore, even if you do continue protection, fixing and updating the application, the hackers will also continue to improve their hacking methods to find new vulnerabilities in the system. That is why it is important for you to continue to test your application so you can avoid danger associate with the application vulnerabilities.
Wireless Network test
This test is done to find any misconfiguration in the wireless network that already authorized to connect with the system as well as finding access point that is unauthorized to connect into the system. You can also find weak encryption method, unsupported network technology, insecure encryption, and access points that are unauthorized.
Step by Step to Do the Penetration Test
The first step that you can do for the penetration test is to determine the scope of the test. To do it the penetration tester will see the company’s assessment requirement for PCI DSS compliance.
Next thing that the penetration test will do is identifying all of the assets inside the network within the scope that already determined using the previous step. This test is necessary to find all needed information to do the attack which will be done in the next step. You can give the penetration tester some information to reduce the time needed to do this step.
Once all of the details are found then the penetration tester will start to test the application, network and system. This penetration test is done to find vulnerabilities in the environment that might cause trouble in the future.
Penetration testing is different than real attack as the pentester will go deeper into the environment which can take a lot of time to do. Thus, you need to decide where is the location that your penetration tester should spend most their time on.
Furthermore, the information that you give to them will also affect the amount of time that they take to do the test. There are 3 types of methodology that can be used to do the penetration test such as:
In this test the penetration tester will be given detailed information regarding the environment that they need to test before the test is done.
In this test the penetration tester is not given any information regarding the environment that they need to test.
In this test the penetration tester will be given limited information regarding the environment that they need to test before the test is done.
You can determine which methodology used according to the area of the environment that will be the focus of the test.
After the test is done then the result will be evaluated by the penetration tester. Then they will create a complete report which explain all of the methodology used on the penetration test as well as the result that they found from the test. That way, you can see the flow and each stages of the penetration test clearly. This report is also necessary to be used as evidence that you can present to stakeholders or assigned QSA.
The penetration test does not stop there because you still need to make sure that the solution implements to the tested environment to resolve the vulnerabilities are working as intended. That is why, retesting is necessary which also need to be done regularly to find new vulnerabilities as constant changes are implement in the environment.
It is important for your company to comply with PCI DSS that can help you to protect the cardholder’s data and secure your environment. One requirement that you need to do to comply is to perform penetration testing to the system and environment that you use.
This penetration testing will also help you to find vulnerabilities before it is exploit by real attack. That way, you can mitigate the risk and strengthen your environment to avoid any damage.
Tags: PCI DSS, PCI DSS requirements, PCI DSS compliance, PCI DSS penetration test, PCI DSS pentest