Payment Card Industry Data Security Standard (PCI DSS) is a security framework designed to protect cardholder’s information from unlawful or illegal access. Nevertheless, for security measures to be effectively executed organizations who process payments need to comply with PCI DSS requirements. Although PCI DSS incorporates many prescriptive elements, penetration testing often restricts firms. Therefore, to appropriately integrate PCI DSS compliance, organizations must find penetration testing methods that prove their controls and also protect their cardholder data environment.
There are three primary components of penetration testing. They include; Black-box assessments, White-box assessments and Grey-box assessments. While White-box assessment provides no information prior to the commencement of the test, Grey-box assessments incorporate partial information about target systems.
For PCI DSS testing, White-box or Grey-box assessments offer organizations or firms better insight into their environments. The information provided by the organization streamlines the testing which makes it less expensive, requiring fewer resources and time.
It is, however, salient to establish and also buttress the fact that penetration test differs from vulnerability scan?
Vulnerability scans are done to identify, rank and report system vulnerabilities that can compromise a system. On the norm, organizations are expected to engage in quarterly vulnerability scans or after making significant changes to the data environment. Most often, vulnerability scans use automated tools followed up with manual verification of issues.
Penetration testing, however, purposefully seeks to exploit vulnerabilities by looking for gaps in security features. More specifically, penetration testing is an active process of trying to break a system while vulnerability scanning passively reviews a landscape for potential problems. This proactive manual process takes more time, provides a more comprehensive resource, and therefore, must only occur annually rather than quarterly.
To determine the scope of their cardholder data environment PCI compliance must be an organization’s first step in the penetration testing process. Also, payment processors must have access to public networks, including restricted access to individual external IP addresses.
Furthermore, organizations must look at the internal critical systems that access the information. As such, testing must include both application and network assessments.
In cases where organizations have segmented their information, there is a need to test the systems deemed outside the CDE environment to ensure no cross-contamination exists. This testing ensures that the organization’s segmentation controls work and also keeps information separated.