Consistently testing and quickly addressing risks to your network security system is not just one of the common security controls that can be looked over, it is imperative to effective and safe performance. If your companys security system does not receive the necessary updates to its infrastructure, it can be potentially devastating for your organization.
Not being on top of these essential tasks can open the door to a myriad of cyber security threats from internal and external sources that could take years to recover from. However your business plans to approach security system testing, you should make sure you efforts fall in line with Payment Card Industry Data Security Standard (PCI DSS) requirements.
Incorporating security testing techniques to test your monitoring center such as variations of penetration testing, vulnerability scans, and risk analysis assessments are the way to go if you plan to secure your network and protect your business. Get the low-down on how your organization can effectively configure its data security services to stay compliant with PCI data security standards.
Penetration Testing
Understanding the ins and outs of your security system entails doing a little prodding into any possible areas of vulnerability that may already be present. This is done via what is known as a penetration test (Pentest). Performing a Pentest can be a lengthy process that requires much planning, preparation, and precise execution, but can divulge an immense amount of information about the effectiveness of your organizations data security services which is why it typically takes trained security professionals to perform it correctly. Companies that wish to remain PCI DSS compliant and fall under the categories of needing to take Self-Assessment Questionnaire (SAQ) types A-EP or D must also perform a Pentest. More details are noted in the table below:
| SAQ Type | Description | Pentest required? | Segmentation Test Required? |
| A | Ecommerce: full outsource of payment processing | No | No |
| A-EP | E-commerce: partial outsource of payment processing | Yes | Yes |
| B | Merchants using standalone dial-out terminals | No | No |
| B-IP | Merchants using standalone IP connected terminals | No | Yes |
| C | Merchants with payment application system connected to the internet | No | Yes |
| C-VT | Merchants using a virtual terminal from dedicated computer | No | Yes |
| D | All other merchants who arent eligible for other SAQs | Yes | Yes |
| P2PE | Merchants who use validated P2PE processing terminals | No | No |
Even though performing a Pentest is not a PCI DSS requirement for many companies, its still highly recommended to perform and internal test of varying complexity on a consistent basis.
Better safe than sorry, right? Right.
Overall, the Pentest varieties that are most commonly performed are White-Box, Grey-Box, and Black-Box tests. Each test fits a specific mold of business; therefore, a test might be more effective at catching vulnerabilities for one company, but ineffective at catching them for another company. Lets deep dive into these variations of Pentests in the next headings:
White-Box Testing
White-box testing is where a business provides a tester with complete details of its network and application so that the tester can critically analyze every aspect of their system.
This way, you will be able to ensure that your security system monitoring service can protect you, even from a malicious user who is extremely familiar with the ins and outs of your network. This type of Pentest is generally considered to be the most effective Pentest because it allows the organization to completely simulate an attack of varying degrees without spending too much time or resources. The one disadvantage of a white-box test is that the security team is aware of the test, thus their approach to incident response may not be the most realistic as if they were unaware.
Black-Box Testing
Black-box testing is configured just like you would think it would be configured. No details are divulged to the tester before the test is administered. Unless your tester is an extremely confident and accomplished Pentester, this Pentest may be ineffective at effectively simulating all available attack scenarios to the organizations security system. Although the test does provide the highest level of realism, it is usually not the most cost-effective. Since the entity provides no details of the target systems prior to a black-box test, the test may require more time, money, and resources to perform. If your organization lowers its threshold for attacker skill, it may cause the pentester to miss out on attack vectors that would commonly have been found in a white-box or grey-box test.
Grey-Box Testing
Grey-box testing is a hybrid of white-box and black box testing. In white-box testing, the code and applications are known and the code and applications are unknown in black-box testing, grey-box testing provides the tester with partial knowledge of the companys internal security system structure. This type of service is perfect for a company that are looking to get the advantages of white and black box methods and maintain a high level of control over the testing parameters. Setting up this test can be as complex as the company wishes to make it. The company must pre-determine the exact level of knowledge to provide the tester. The realistic qualities of this test are hedged on whether management feels that the tester has received too much information or not. Although this process does save organizations money, it can eat up quite a bit of time if the testing environment is not configured to the standards of the companys management and the PCI Security Standards Council (SSC).
Vulnerability Scan
Vulnerability scans are similar to a penetration test in that the goal of this assessment is to ascertain weaknesses in your network to determine if you may be vulnerable to a future attack. A vulnerability scan can identify, rank, and report security vulnerabilities that could possibly compromise a security system if penetrated. This takes the data that was divulged through the penetration test to the next level, therefore providing a deeper understanding of your environment and where time and attention should be spent in the future.
To maintain PCI compliance, vulnerability scans are required to be completed by an Approved Scan Vendor (ASV) on a quarterly basis. The higher the frequency of vulnerability scanning, the timelier the results will be and it is often easier to incorporate the results of the scan into the development life cycle. Each vulnerability scan is comprised of an internal and external scan which are highlighted in their own headings below.
Internal Scan
An internal vulnerability scan operates within your businesss firewall(s) to identify any signal that there is real and potential vulnerabilities to your organizations network. Internal scans must be conducted by qualified personnel who are reasonably independent from the host. The scans are required by PCI DSS to be repeated until all high-risk vulnerabilities are completely resolved. Due to the specific nature of these testing requirements, most companies opt to have their internal scans completed by third-party vendors.
External Scan
External vulnerability scans differ from internal scans in that their goal is to find security system firewall gaps where malicious outsiders might be able to break in and attack your network. External scans must be performed by a PCI SSC Approved Scanning Vendor (ASV) and must maintain a Common Vulnerability Scoring System (CVSS) that showcases that all Medium or High vulnerabilities have been completely resolved.
Risk Analysis Assessment
Risk analysis assessments are ongoing professional monitoring investigations that aim to uncover any potential systems and/or processes that are actively putting you or your customers data security in harms way. Risk assessment is a key part of what goes into comprehensive cyber security solutions. Risk assessments allow organizations to keep up to date with changes and evolving threats to the cardholder data environment (CDE). PCI DSS requires that a formal risk assessment is conducted by organizations wishing to stay compliant at least on an annual basis after they have made significant changes to their data environment. Risk analysis assessments also aim to identify assets and controls that may also qualify your organization for a possible scope reduction under its SAQ which can be extremely beneficial as a reduction in scope can potentially be a huge money saver in the long term.
PCI DSS Requirements
Knowing everything that you now know about penetration tests, vulnerability scans, and risk analysis assessments, will make it much easier to ascertain what to do to remain PCI DSS compliant. These tests are all covered in PCI DSS requirements 6.1, 11, and 12.2. Find PCI DSS solutions or read on to keep your organization in the clear from a potential breach or becoming noncompliant with the PCI SSC.
PCI DSS Req. 6.1
Requirement 6.1 states that sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing lists, or RSS feeds. The goal of this requirement is to ensure that your organization is up to date with new security vulnerabilities that might possibly impact your environment in the future. Consistently performing code vulnerability reviews to your public-facing web applications shows PCI SSC that your network is protected from known (and common) attack methods. You will also need to install a firewall in front of any online application where customers can input their sensitive payment card data or other PII.
All your system components and software must have the latest, vendor-supplied security patches installed with deployment of critical patches set to install within a month of release. Once an assessor identifies these vulnerability and patches via a vulnerability scan, they are given a score between 1 and 10; 1 being informational and 10 being needs to be addressed immediately. Once the vulnerability scan is complete, the organization is given a risk ranking which they then use to formulate a plan to immediately patch up any critical or urgent vulnerabilities.
PCI DSS Req. 11
Compliance with PCI DSS requirement 11 is done through the regular testing of security systems and processes. Compliance with this requirement is done via adhering to prevention of network intrusions through vulnerability scans and penetration tests. For those organizations that handle sensitive authentication data (SAD), they must use network intrusion detection or network intrusion prevention systems to monitor all traffic at the perimeter and at critical points inside of the cardholder data environment (CDE).
Requirement 11.3 of PCI DSS requirement 11 focuses on the need for your organization to have a penetration methodology in place whether youre outsourcing your penetration tests or not. This requirement covers the need for the organization to implement internal and external penetration tests on an annual basis. If a penetration test detects exploitable vulnerabilities in your security system, then these should be fixed and re-tested until the corrections can be verified. Requirement 11.5 of PCI DSS requirement 11 calls for the removal of the cardholder data environment (CDE) from the testing procedure for testing consistency purposes, thus expanding the number of systems that require critical file monitoring.
PCI DSS Req. 12.2
The goal of PCI DSS requirement 12.2 is to address information security for all personnel involved via the preparation of risk assessments. As mentioned in previous headings, risk assessments that identify critical assets, threats, and vulnerabilities must be performed on an annual basis. These risk assessments aim to help the organization identify, prioritize, and manage information security risks.
It is advised that organizations disseminate a security policy that addresses all PCI DSS requirements to all company employees which then would culminate in an annual process for identifying vulnerabilities and formally assessing risks in your CDE. Having the entire company aware of policies and procedures allows for the effective control of data security compliance standards. Without awareness and understanding of why these best practices and procedures are necessary, employees may be more inclined to make mistakes that that unwittingly cause a data breach. It is for this reason that organizations that formulate a risk analysis assessment should also have an incident response plan in place to ensure that they can prepared to respond immediately in the event of a breach.
Closing Thoughts
Performing regular data security system testing doesnt need to be rocket science and it shouldnt be something that you try to sweep under the rug just because you did it last year. Instead, the series of beneficial tests, scans, and assessments that will keep you compliant with the above PCI DSS requirements should be approached with eagerness. When you see that 20% of all vulnerabilities discovered in vulnerability scans in 2017 were classified as high or critical risk, you can see why it is beneficial for your organization to approach these security tests positively to maintain the quality of your network infrastructure and CDE.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
