If you know anything about cybersecurity, you are probably familiar with penetration testing. This is a method of testing your cyber-defenses by allowing an IT expert to probe those defenses. They will actively try to break through or circumvent those barriers, just as a real hacker would attempt to do. This provides a unique opportunity to test every aspect of your security and correct any flaws. A PCI DSS penetration test is a specific type of penetration testing that is distinct from all others, so let’s talk about this kind of testing and its requirements.
What Is PCI DSS Testing?
This type of penetration testing is focused on payment card information. This would include credit cards, debit cards, gift cards, and anything else like that. The standards for PCI DSS testing are made by the PCI council, which is a professional organization made up of representatives from all the major card payment providers.
When doing a standard penetration test, the overall goal is to improve security across an entire organization. PCI DSS testing, on the other hand, is solely focused on the protection of cardholder information. This includes card numbers, PIN numbers, transaction histories, and things of that nature.
The 12 Requirements
The PCI Council sets the standards for penetration tests of this type, and they pretty much have the final say. However, their regulations can be neatly summarized in 12 requirements. Any company that deals with cardholder information must adhere to these guidelines at all times. If not, they risk the possibility of being fined. In cases of severe or repeated infractions, they might suspend or cancel your ability to process card transactions. Needless to say, that is very bad for business. Here are the 12 requirements:
- 1. You must use and maintain firewalls and their rules to protect confidential data
- 2. You must never use vendor defaults for passwords or PIN numbers
- 3. Stored cardholder data must be protected at all times
- 4. Cardholder data must never be transmitted over public networks unless an encrypted connection is used
- 5. You must install and maintain effective antivirus software at all times
- 6. Systems and applications used for processing cardholder data must be designed in a secure way
- 7. Restrict access to cardholder data on a “need to know” basis only
- 8. You must assign a unique ID number to anyone with access to confidential cardholder information
- 9. You must prevent unauthorized physical access to cardholder data
- 10. Any access to cardholder data or related system resources must be tracked and logged
- 11. Security systems must be tested and updated regularly
- 12. You must make and follow a comprehensive data security policy
The Various Types of PCI DSS Penetration Tests
This isn’t just one type of pen test, as every situation has different circumstances to consider. That is why there are a few sub-types of PCI compliance penetration testing:
PCI DSS Network Penetration Test
As the name implies, this kind of PCI penetration testing involves someone trying to gain unauthorized access to a closed network. This is meant to test not only user devices, but also servers, network hardware, and the entire network itself. A test like this one will surely look for proper network configuration, as well as firewall configuration and the impact of any security software that may be present. The end goal is to make the network as a whole more resistant to intrusion. This kind of test can be conducted for both wired and wi-fi networks, although the procedures will differ slightly.
PCI DSS Segmentation Control Test
A well-secured network needs to be separated into sections (that is to say, segmented). This is mainly done for security reasons. If a hacker gains access to the “outer layer” of your network, they will have to surmount even more obstacles before gaining meaningful access. The idea is that no one should be able to compromise your whole network in one fell swoop. PCI DSS segmentation tests are meant to determine how well-segmented your network may be. This will often involve looking for “backdoors” by which the segments can be connected. Ports will always need to be checked for this kind of PCI DSS penetration testing, as well as pinging capability.
PCI DSS Application Penetration Test
Application vulnerabilities are one of the most common weak points in any network security structure. Applications are made up of code written by programmers, and this code can sometimes contain “loopholes” and flaws. These flaws and loopholes can then be exploited by hackers to hijack the program. PCI DSS Application testing involves cybersecurity professionals attempting to exploit application vulnerabilities in order to gain unauthorized access.
Social Engineering Test
Most cyberattacks begin with a social engineering attempt. You know those suspicious text messages that try to get you to click on strange links? Those are usually social engineering attempts. Those strange links will take you to a webpage that is meant to look like a legitimate one. Thus, they can trick unwary users into entering their login credentials, which are then captured via keylogger programs. A social engineering test is a test of your employees rather than your tech. The testers will simply try various common methods of social engineering on randomly selected targets and document the results.
This type of penetration testing is extremely important because that credit card information is so susceptible to misuse. Obviously, the potential for fraud is immense, to say nothing of the possibilities for identity theft and all sorts of other crimes. That is why any company that processes cardholder information must be aware of (and follow) these requirements. If you would like to learn more about this subject, feel free to call PCH Technologies at (844) 754-7500.
Our Florida Office
As of 2022, PCH Technologies has opened up a new location in Fort Lauderdale, FL in order to serve the South Florida Market. This expansion into the South Florida market aligns strategically with our plans to continue to grow a national presence as a managed service provider (MSP).