Choosing Your PCI Compliance Pen Testing Vendor

Choosing Your PCI Compliance Pen Testing Vendor

How To Choose Your PCI Compliance Pen Testing Vendor

Before getting into PCI Compliance Pentesting let’s have a small introduction about PCI DSS. PCI DSS is mandated by the major card brands like Visa, MasterCard, American Express, JCBandDiscover and is administered by the PCI Security Standard Council (PCI SSC).

Any organization/vendor/company that processes payment by means of debit or credit cards must become compliant with the PCI Security Standard Council. PCI DSS has devised a set of regulations to be followed by the card processing vendors. If the vendors do not follow it then they will be heavily fined for being non-compliant.

Short overview of PCI SSC requirements

PCI Security Standard Council has devised 12 High-level requirements that are to be met in order to be compliant. Among the 12 requirements, requirement number 11 deals with “Penetration Testing.” Before the release of PCI Standard version, 3.0 Penetration Testing was optional. But now Penetration Test was not optional but mandatory according to requirement 11.3 which states that implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

In addition to that, the requirement states that the organizations must conduct a penetration test each time a significant change is made to the network, infrastructure, or applications which hold the Cardholder’s Data. From 1 July 2015 Penetration Testing Requirements became official, making PCI Compliance Pentesting mandatory. This is why it is important for any card processor to find a good vendor and do effective PCI Compliance Pentesting. In this article, you can gain a better understanding of why you need to perform PCI Compliance Pentesting and how you can decide and choose a good Penetration Testing Vendor. Why do we need to perform PCI Compliance Pentesting?

PCI Compliance Pentesting is the process of using offensive techniques in an effective and controlled way to find if the system or network or infrastructure or the web has any security flaws which may be used by an attacker.

By doing PCI Compliance Pentesting regularly we can stay safe from fraudulent or theft or any kind of attacks by hackers. Whenever a change is made to your environment like hardware change, software change, upgradation, etc. you have to conduct a penetration test. Because whenever a change is made you can’t expect the same kind of security that was applied before and the system will be out of vulnerability as it has been already tested. The new addition means new change and that new addition may or may not have any flaws which you can confirm only after conducting a successful PCI Compliance Pentesting of that environment. Regular PCI Compliance Pentesting is done for some of the following reasons.

  • If there is a security breach in your environment and service interruption happens it will cost the company.
  • Confidentiality will be lost if your environment got breached and you face data loss.
  • We cannot say that all the information is safeguarded effectively.
  • Penetration Test will help to identify the vulnerabilities and prioritize the risks.
  • Regular Penetration Testing will make you understand about how secured your infrastructure is or how you lack behind in security and helps you stay ahead.

Even though many companies are said to be PCI DSS Compliant there are many who got hacked and suffered heavy losses. This is where the Penetration test comes in. Because it will show your security flaws and the latest attack vector available and thus warns you to safeguard your IT environment before it gets exploited by an attacker or hacker. This is the reason that PCI Security Standards Council has made Penetration Test Mandatory under the requirement 11.3 from their newer version DSS v3.0 instead of testing being optional as it was before. How to Choose your PCI Pen Test Vendor?

When you want to be complied by the PCI SSC and when you opt for external penetration testing you have to look into many aspects before hiring an individual or an organization to conduct testing in your IT environment. Below are a few of the things that are to be taken into consideration before choosing a PCI DSS Penetration Testing Vendor.

  • Know whether the individual or the organization is certified like C|EH, E|CSA,L|PT, GPEN, OSCP, OSCE etc. and ISO 27001 certified company or not.
  • Always relying on big names is not a good choice as you can’t question their methodologies or their performances so easily and if you do you will get an answer which is definitely not going to satisfy you. Another reason to say this is you need a Penetration Testing Specialist and not a Generalist as most of the testers from big names will do a general test and will send you a report accordingly.
  • Look at the Credibility of the Penetration Tester or the Pen Test Vendor before choosing them and try to know about how well they perform or how much they are reached or known.
  • Certificate alone doesn’t yield you a good result. So look at the vendor/individual’s previous records, customer reviews etc.
  • Knowing about the Vendor/Individual doesn’t mean that you have a face to face of phone talk with them. But by their previous success rate and customer satisfaction and the review from previous clients about their performance and technical knowledge and how they provide solutions etc.
  • Know about the expertise of the company. You can know it by googling whether they have contributed anything to the Information Security world like have they ever found any zero days or common vulnerabilities and presented any paper about it or are they have been mentioned in Hall of Fames etc.
  • Ask and know about their methodology of testing before approving the individual/tester to test your IT environment and make sure that no damage will be done physically or virtually during the test.
  • Mainly choose a Penetration Testing Service Vendor according to your requirement and not just because they are Testers and you need Testing to be done. Because each of them will be specialized in different domains and will be catering to a specific or few specialized domain. So take this also under consideration.

What are the things to be considered during a PCI Pentest?

  • The Methodology used for Penetration Testing must be based on industry-accepted approaches.
  • Both internal and external Penetration Testing must be done.
  • Network-Layer and Application-Layer testing must be included in the assessment.
  • Entire CDE – Cardholder Data Environment must be included in the Penetration Testing Scope
  • Penetration Testing should be carried at least on an annual basis and must be done whenever a major change is made to the Cardholder Data Environment.
  • If any vulnerabilities that are exploitable are found during the assessment are patched, a retest must be conducted to make sure that the environment is safe and secured.
  • Your Penetration Testing should be repeated until you get a clean report i.e. you are free of vulnerabilities and therefore the Test Cycle continues till you are healthy.
  • The company should ensure that the testers are given enough time to do their test and complete the report. Tight schedule and short deadline will force the tester to skip few parts of the testing.