Introduction

With changes in technology, it is becoming easier and easier for companies to do businesses with each other and their customers. This technology extends to payment methods as well, including electronic and card options, which needs to be protected with cybersecurity. That’s where PCI DSS penetration tests, or Payment Card Industry Data Security Standard penetration tests come in.

Card payments are the industry standard and fall under very important government regulations. Because these electronic payments are subject to bad actors and hacks, it is important to get cybersecurity for these methods, including penetration tests. This specific pen test is necessary for businesses who provide the service of payment cards, but is also necessary for businesses that processes, stores, or transmits electronic card transactions.

What is PCI DSS?

To put it simply, PCI DSS stands for Payment Card Industry Data Security Standard. It is a cybersecurity standard that is applied to payment methods that uses cardholder data. This includes the customer’s information, the bank or money information it is tied to, and the numbers on the card that is connected to the account. Without protections, a bad actor can easily get a hold of this information and steal data or even money.

The PCI DSS has specific guidelines on requirements and procedures when it comes to protection. These requirements are as follows from the PCI data security standard overview:

Build and maintain a secure network and systems

  • Install and maintain network security controls.
  • Apply secure configurations to all system components.

Protect account data

  • Protect stored account data.
  • Protect cardholder data with strong cryptography during transmission over open, public networks.

Maintain a Vulnerability Management Program

  • Protect all systems and networks from malicious software.
  • Develop and maintain secure systems and software.

Implement strong access control measures

  • Restrict access to system components and cardholder data by business Need to Know.
  • Identify users and authenticate access to system components.
  • Restrict physical access to cardholder data.

Regularly monitor and test networks

  • Log and monitor all access to system components and cardholder data.
  • Test security systems and networks regularly.

Maintain an Information Security Policy

  • Support information security with organizational policies and programs.

Depending on some businesses and service providers, there are additional PCI DSS requirements like multi-tenant service provides, entities using SSL/Early TLS for card-present terminal connections, and more.

What is a PCI DSS penetration test?

Similar to other penetration tests, a PCI DSS pen test is a fake, simulated attack on a network or system that contains cardholder data or sensitive information. A cybersecurity firm will get with the business or company, get a timeline for the simulated attack, and will attempt to gain access. There will be an information gathering period, an actual penetration attempt, and reports will be made based on the results.

This is an important test and is one of many other pen tests that are available. The government requires these to be done at least once a year, but a business should want to do it more than that. Protecting customer information is a crucial part to doing business, so it’s recommended to be done at least twice a year and each time a significant change or update is done to a network. Updates lead to changes in code, which can spiral into bugs and other various vulnerabilities that might pop up.

The PCI DSS Penetration Test Process

Much like other penetration tests, the PCI DSS pen test goes through a few steps to complete. There is an information phase, a penetration phase, a reporting phase, and then a retest phase. These should be in-depth, but every cybersecurity firm is different and has their own processes. The normal procedure is as follows:

Scoping Questions

Before any contracts or timelines are establish, scoping questions are an important figure in any business. A cybersecurity firm will find out how many networks, users, assets, and other various things to find a proper size and method for the penetration test.

Information Gathering

After services have been acquired, a security analyst will scan and gather information that is around a network parameter. This is a combination of information freely available on the internet and information given to them.

Penetration Testing

The actual penetration test occurs where the security analyst will attempt to get into the network. They will apply real-world tactics and hacks in order to gain access, but it will not disrupt a company’s business when it happens. This is done discreetly and quietly to not affect anything.

Reporting Phase

After the test is completed, the reporting happens. This is where all of the vulnerabilities and threats that were found are stated, likely from most critical to least critical. The company is given time to remediate any findings before a retest is done.

Retesting

This is an important phase to any penetration test. A retest is done after the remediation is complete by the other party. A new report is given and this is what is used for examiners and regulations.

Conclusion

A PCI DSS, or Payment Card Industry Data Security Standard penetration test is necessary for any company who provides or stores crucial cardholder information. It is all to do with card payments or electronic payments and the handling of those processes. The PCI DSS is an industry standard and is used by the government for regulatory purposes.

Getting these penetration tests every year is a requirement by the government, but it is recommended to get one twice a year or after any significant update to a point-of-sale system or network. There are many different cybersecurity firms that can provide this service, so it’s a good idea to compare and contrast them. Always make sure that you’re getting the best for your customers!

Eddy Berry, Security Research Analyst

Eddy has been researching cybersecurity for a few years now. Finding specific trends and best practices is something he takes pride in, assisting in finding news and government regulation that are on the rise. He researches topics and writes articles based on current events and important vulnerabilities that are affecting people, always hoping to get the necessary cybersecurity steps to those that need them.