The Payment Card Industry Security Standards Council (PCI SSC) requires all organizations that process card payments to protect cardholder data (CHD) and sensitive authentication data (SAD) from breach risks. PCI compliance testing is one of the best strategies to protect valuable CHD and SAD, requiring organizations to regularly test and scan systems to identify vulnerabilities.
Best Practices for PCI Compliance Testing
As the technology for processing card payments evolves, threat actors innovate new ways to breach CHD environments. For organizations to keep up with these cyberthreats, PCI compliance testing tools have been developed that enable robust vulnerability scanning and penetration testing of crucial CHD- and SAD-processing systems and networks.
Specifically, organizations can reference PCI DSS Requirement 11 to develop their own PCI compliance testing measures, the most critical of which include:
- Detecting access point vulnerabilities
- Conducting vulnerability scans
- Developing penetration testing methodologies
Implementing robust PCI compliance testing can protect your organization from risks to CHD and SAD, preventing costly data breaches.
Download Our PCI DSS Checklist
Detecting Wireless Access Point Vulnerabilities
PCI compliance testing for 802.11 wireless access points is critical to identifying vulnerabilities in CHD environments, protecting the integrity of CHD and SAD processed therein. Specifically, PCI DSS Requirement 11.1 requires organizations to regularly test CHD environments for the presence of wireless access points, ensuring identification of all authorized and unauthorized access points.
When conducting wireless access point detection, it’s critical that the methods used for testing access points can sufficiently detect unauthorized networks within CHD environments. The most common methods for detecting rogue wireless access points include, but are not limited to:
- Scanning wireless networks to identify unauthorized networks
- Physically inspecting system components and infrastructure for unusual changes
- Establishing network access controls to identify and quarantine unauthorized traffic
- Implementing wireless intrusion detection and prevention protocols
Robust PCI compliance testing of wireless access points can help prevent unforeseen cyberattacks launched via rogue access points.
PCI Compliance Requirements for Wireless Access Point Testing
To meet PCI compliance testing requirements, your organization can implement a testing procedure for wireless access points, ensuring:
- Documented processes for quarterly detection and identification of wireless access points
- Robust testing methodology for adequate identification of unauthorized wireless access point vulnerabilities, including:
- Insertion of WLAN cards into system components
- Connection of portable wireless devices to system components (e.g., USB sticks)
- Network devices connected to wireless devices
- Quarterly implementation of unauthorized network detection
- Active notification of security personnel regarding any unauthorized network detection, especially for automated monitoring systems (e.g., IDS/IPS)
- Established incident response plan to mitigate threats from any unauthorized networks following detection
PCI compliance testing of wireless access points for vulnerabilities to CHD environments can significantly minimize breach risks to CHD and SAD.
Vulnerability Scanning of CHD Environments
Alongside wireless access point testing, it’s also important for your organization to develop PCI compliance testing tools for scanning vulnerabilities to CHD and SAD. PCI DSS Requirement 11.2 requires organizations to conduct internal and external vulnerability scans quarterly and after significant network changes. These network changes could be:
- Installation of new system components
- Modifications to network topology
- Changes in firewall rules
- Upgrades to systems or products
As part of PCI compliance testing, your organization can conduct internal vulnerability scans ensuring that:
- Scans are conducted quarterly.
- Any identified vulnerabilities are appropriately and timely remediated.
- Any unresolved “high risk” vulnerabilities are addressed by rescanning CHD environments, referencing your organization’s vulnerability risk ranking.
PCI compliance testing also requires your organization to conduct external vulnerability scans, which involve:
- Scanning by qualified and experienced personnel, i.e., a PCI SSC-qualified Approved Scanning Vendor (ASV)
- Rescanning of CHD environments to obtain passing scans
PCI compliance testing tools are critical to protecting CHD environments from threat attacks, especially when implemented promptly and with the help of a qualified ASV.
PCI Compliance Scanning Requirements
Note that your organization can still meet quarterly scanning requirements by combining multiple scan reports, demonstrating the required system scanning and vulnerability remediation. However, you may need to show additional documentation to verify that any non-remediated vulnerabilities are being addressed.
- The most recent scan was a pass
- Documentation of quarterly scanning policies and procedures
- Identified vulnerabilities are rectified, as shown in a rescan(s)
Following initial PCI DSS review, organizations must demonstrate four quarters of passing vulnerability scans.
Besides quarterly vulnerability scanning, it’s essential to scan CHD environments after significant network changes, especially when faced with rapidly evolving CHD threats. Working with an experienced QSA can help you meet the PCI compliance scanning requirements, ensuring up-to-date PCI compliance testing.
Implementing PCI DSS Penetration Testing
Another component of PCI compliance testing is penetration testing or “pen testing.” Penetration testing is essentially “ethical hacking” wherein a team of trained cybersecurity professionals simulates possible threat attacks to your organization’s systems and networks. PCI DSS penetration testing can help identify existing vulnerabilities in CHD environments, prompting the necessary mitigation measures.
PCI DSS Penetration Testing Methodology
Per PCI DSS Requirement 11.3, organizations processing CHD and SAD can implement PCI DSS penetration testing methodologies with a focus on:
- Developing industry-standard and accepted pen testing tools based on frameworks such as the NIST Publication SP800-115
- Testing critical systems, especially those within the perimeter of the CHD environment
- Testing both internal and external components of critical networks
- Testing and validating protocols used for network segmentation and PCI DSS scope reductions
- Application-layer pen testing covering, at a minimum, common coding vulnerabilities (referenced in PCI DSS Requirement 6.5)
- Network-layer pen testing of components providing support for operating systems and network functions
- Reviewing vulnerabilities and threats, including those experienced or identified by security assessments in the last 12 months
- Retention of results generated from pen testing or vulnerability remediation events
A robust PCI DSS penetration testing methodology can help your organization promptly identify and remediate vulnerabilities within CHD environments, minimizing the risk of data breaches.
PCI DSS Penetration Testing Requirements
For the robust implementation of a PCI DSS penetration testing methodology, your organization can conduct pen testing, focusing on:
- Internal and external pen testing, at least annually and after any significant changes to CHD-processing infrastructure (e.g., applications, operating systems, networks, and servers)
- Remediation of exploitable vulnerabilities identified during pen testing
- Re-testing of systems to verify remediated vulnerabilities
- Pen testing of networks where segmentation controls are used for isolating CHD environments from other networks, ensuring:
- Pen testing is conducted at least annually and after significant changes to networks
- Verification that segmentation is active and effective
- Isolation of out-of-scope systems from the systems in the CHD environment
- Specifically for service providers, pen testing of segmentation controls at least every six months or after changes to controls, confirming the scope of PCI DSS
PCI DSS penetration testing can help your organization protect valuable CHD from breach risks and vulnerabilities, especially with the expertise of a penetration testing partner.
Note on Upcoming PCI DSS v4.0
Note that PCI DSS framework v4.0, scheduled for release in March 2022, will supersede the current version, v.3.2.1. According to the PCI SSC, organizations will have 18 months to transition to the v4.0 updated Requirements following the final release, allowing sufficient time for organizations to update security protocols and remediate any gaps.
Achieve Industry-Standard PCI Pen Testing and Scanning
PCI compliance testing can help your organization minimize breach risks to sensitive CHD and SAD, protecting you from the reputational, legal, and financial consequences of data breaches.
RSI Security offers year-round managed cybersecurity compliance, especially for widely applicable frameworks such as the PCI DSS. Your organization can achieve up-to-date PCI compliance with the help of our team of experts. Contact RSI Security today to learn more!