PCI Penetration Testing: Understanding the Objectives, Components, & Methodology

Published January 4, 2021 by 3 min read

Organizations that process credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data—and while PCI DSS requirements include many prescriptive elements, one that often confounds businesses is penetration testing. To achieve PCI DSS compliance, businesses have to find penetration testing methods that prove the organization’s security controls protect the cardholder data environment.

What Is PCI Penetration Testing?

A penetration test (commonly known as a “pen test”) is an exercise where a security professional attempts to exploit vulnerabilities and gain unauthorized access to your critical systems. These contractors are also known as “ethical hackers,” since they use techniques similar to real phishing schemes or cyber-attacks. The only difference is they are acting with your permission, to discover areas in your network where information security should be tightened. 

Three types of pen testing exist for PCI DSS:

  • Black-box assessments, where the client company provides no information to the tester before the pen test starts;
  • White-box assessments, where the client provides network and application details to the pen tester; and 
  • Grey-box assessments, which provide some information about target security systems, but not all.

White-box or grey-box assessments offer organizations better insight into their environments. That preliminary information the client company provides also streamlines the testing process, which means less cost and fewer demands on resources and time.

How Do I Pass a PCI Compliance Scan?

The Payment Card Industry Security Standards Council (PCI SSC) was created by the major credit card service providers to establish security standards (that is, PCI DSS) for all companies that process credit card information. The standards stress the need for frequent compliance scans to identify and remedy any potential vulnerabilities.

Depending on a company’s merchant level, however, it might not need a penetration test to be compliant. Some categories of self-assessment questionnaire (SAQ) don’t require a pen test, so be sure to understand which PCI security standards apply to your business before you begin your risk assessment.

The official requirement for organizations that do need penetration testing is a passing scan every 90 days. A business must also submit to additional testing if there are any changes to its cardholder data environment (CDE). Passing these scans indicates that your IT controls work and that the security protections you have in place satisfy the standards required of your particular organization.

If a company doesn’t pass its pen testing, the business must correct the failure as quickly as possible and run another scan to prove compliance.

Non-compliance with PCI DSS can carry serious consequences, including the loss of your credit card processing privileges. So it’s critical that you resolve any security issues a pen test might uncover. Passing a penetration test means the tester was unable to exploit any aspects of your system.

How Do a Penetration Test and a Vulnerability Scan Differ?

Vulnerability scans are meant to identify, rank, and report security vulnerabilities that can compromise a system. Traditionally, organizations must engage in vulnerability scans every quarter or after making significant changes to the data environment. Most often, vulnerability scans use automated tools followed up with manual verification of issues.

Penetration testing, however, purposefully seeks to exploit vulnerabilities in security controls by seeking out gaps in security features. Pen testing is an active process of trying to break a system, while vulnerability scanning passively reviews a landscape for potential problems. The manual nature of pen testing takes more time, provides a more comprehensive resource, and therefore, only needs to occur annually rather than quarterly.

Penetration testing’s depth and cost also mean that organizations must limit the time spent on the task while meeting PCI DSS requirements. Meanwhile, vulnerability scanning limits a company’s insights to the point in time during which the scan was run.

What Are the Qualifications of a Good Penetration Tester?

According to PCI guidance, pen tests can be run by either a qualified internal assessor or an outside contractor. Some certifications for pen testers do exist; examples include the CEH (Certified Ethical Hacker) or the OSCP (Offensive Security Certified Professional). Beyond these certifications, the PCI DSS also offers a list of penetration testing requirements and necessary qualifications for penetration testers.

When hiring a penetration tester, ask for examples of their previous work. You will want someone who has experience testing your particular industry and software. Discuss what parts of your environment should be tested, and what your tester should do if a vulnerability is found. You’ll also want your tester to be in touch with you regularly throughout the process.

Finally, you’ll want to make sure that security testing will not interrupt your organization’s day-to-day operations. Make sure that the tester’s efforts will not cause any damage to your system components or inconvenience your customers.

ZenGRC’s monitoring abilities provide updated, in-the-moment insights that let an organization respond to changing threats and vulnerabilities in a constantly evolving threat environment. Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to drive better cross-enterprise outcomes.

For more information about how ZenGRC can help ease the pain of PCI DSS penetration testing, schedule a demo today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo