The PCI Security Standards Council has updated its guidance for the payment card industry on penetration testing. The new guidance, available to download here, is intended as supplemental information to the PCI DSS (Payment Card Industry Data Security Standards) but does not supersede or replace it. For businesses taking online card payments, knowledge of this new documentation is highly recommended.
Table of Contents
Summary Of Guidance:
The guidance focuses on four key areas:
Penetration Testing Components:
Providing information on the different components that comprise a penetration test and how this differs from a vulnerability scan including scope, application and network – layer testing, segmentation checks, and social engineering.
Qualifications Of A Penetration Tester:
Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
Penetration Testing Methodologies:
The guide provides detailed information relating to the three key parts of a penetration test: pre-engagement, engagement, and post-engagement.
Penetration Testing Reporting Guidelines:
Providing guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.
Penetration Testing Components
This section of the guidance establishes the core components of a PCI DSS complaint penetration test, outlining the three main types: black-box, white-box and grey-box. PCI DSS penetration tests are typically performed as either grey or white-box – this is where the organisation provides either part or all of the details pertaining to the network and applications prior to the assessors carrying out the test. Black-box assessments, where no details are provided, are not advised to be performed as they are generally seen to yield less accurate results and require more time, money and resources to implement.
The goals of the penetration test are as follows:
- To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
The new guidance notes acknowledge that there is some confusion in the industry regarding the difference between a vulnerability scan and a penetration test. The guide helpfully provides a clear distinction between the two, noting key differentiators relating to the purpose, timing, processes and reporting of each activity.
Qualifications Of A Penetration Tester:
For a PCI DSS complaint penetration test to be carried out the tester must be independent of the organisation. They must not have had any involvement in the installation, maintenance or support of the targeted systems. In addition the guidance notes also provide information pertaining to certifications and past experience. In terms of certification, the Security Standards Council recommends looking for providers with qualifications such as: Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), Global Information Assurance Certification (GIAC) & CREST Penetration Testing Certifications. In terms of past experience, it’s advisable for organisations to look for testers with several years’ experience carrying out real tests, to seek references before contracting the tester and to determine if the tester has experiences with the technologies in the target environment.
Penetration Testing Methodologies:
This section establishes guidance on the three key areas of the penetration test: pre-engagement, engagement and post-engagement.
Pre-engagement refers to the methodologies a compliant test should follow prior to the start of the penetration test. This includes: Scoping (establishing the critical systems and areas to be assessed); Documentation (providing the assessor with detailed information on the components within the scope); Rules of Engagement (a set of rules for the conditions in which tests are to be performed); Success Criteria (defining when a penetration test is complete); Review (consideration of threats and vulnerabilities encountered in the last 12 months).
Engagement refers to acceptable methodologies of the penetration test. This includes: Application Layer (testing from the perspective of the defined roles of the application); Network Layer (interpreting the results of automated testing and determining if network layer testing is required); Segmentation (conducting tests used in the initial stages of a network penetration test).
Post-engagement refers to the activities both the tester and the tested ought to perform after the completion of the penetration test. This includes: Remediation Best Practices; Retesting Identified Vulnerabilities and Cleaning up the Environment.
Penetration Testing Reporting Guidelines:
This section provides guidance to the organisation in terms of the reporting and documentation that should be provided by the penetration tester. The final reports should assist the organization in its efforts to improve its security posture by identifying areas of potential risk that may need to be remediated. Core component areas for reporting include: Identified Vulnerability Reporting (discussion of the steps, vectors, and exploited vulnerabilities that lead to penetration); Reporting Guidelines (common contents of an industry standard penetration test) and Retesting Considerations.
For a detailed view of the updated guidelines, visit the PCI Security Standards Council website.
About the Author:Mike James works in the marketing department of Red Scan, a managed security company and wrote this piece along with CTO Simon Heron, the man responsible for developing the overall business and technology strategy and growth. Heron has more than 16 years’ experience in the IT industry, including eight years’ experience in internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Heron has an MSc in Microprocessor Technology and Applications, and a BSc in Naval Architecture and Shipbuilding and is a Certified Information Systems Security Professional (CISSP) and is a PCI-DSS Implementor (PCI-IM).
Be the first to write a comment.