Послуги з імітації атак хакерів для вдосконалення процесів кібербезпеки.
/ BLOG
Pentesting for PCI DSS 4.0 certification:
What you should know
The payment card industry is constantly attracting the attention of hackers. That’s why it requires maximum cyber defence.
On 31 March 2022, the Payment Card Industry Security Standards Council (PCI SSC) released an updated version of the PCI DSS 4.0 standard. We familiarised ourselves with the new version and are preparing for a comfortable transition to meet all the requirements.
After 31 March 2024, PCI DSS 3.2.1 will be phased out and PCI DSS 4.0 will come into effect.
In this article, we will consider only those requirements that relate to the penetration test (pentest).
Is it necessary to conduct a penetration test to comply with PCI DSS requirements?
PCI DSS certification sets out various requirements, including the need for regular penetration tests. In particular, requirement 11.4 emphasises the need to conduct external and internal penetration tests every 12 months or after significant changes in the environment.
These requirements also define segmentation testing checks that go beyond most standard penetration tests. Requirement 11.4 clearly states that companies must define, document and implement a penetration testing methodology that includes:
Below are a few examples of significant changes that will require further verification through penetration testing:
Requirements for PCI vulnerability scanning
Vulnerability scanning is considered an important element of PCI DSS requirements. Requirement 11.2 provides the following information. Conduct internal and external network vulnerability scans every quarter, especially after any significant network changes. Eliminate identified vulnerabilities and, if necessary, repeat the scan until it is successful. After passing the initial PCI DSS compliance scan, the entity must undergo four quarterly scans over the next year. An external scan should be carried out every quarter by a qualified scanner from a company that specialises in such services. The scan is always performed after changes are made to the network. Internal scanning can be performed by internal staff.
Penetration testing methodology
Requirement 11.4.1 relates to the methodology used by professionals when performing penetration tests. It indicates that methods adopted by the relevant industry are used for this purpose, i.e. a methodology that simulates attacks by intruders is used. It is important to note that automated scanning is not sufficient to meet the requirements of this clause.
Who should conduct a PCI pentest?
Penetration testing for PCI DSS compliance should be performed in one of the following ways:
PCI DSS 4.0 even provides guidance on selecting an external third party to conduct a PCI pentest in the Good Practices section of requirement 11. The PCI SSC recommends looking for a vendor with specific penetration testing certifications, which can help verify the tester’s skill level and competence.
The council also recommends choosing a penetration test vendor with previous experience in conducting PCI DSS compliance tests. When evaluating potential suppliers, you should take into account their years of experience, and the type and volume of work they have handled in the past, etc. Confirming that your vendor’s expertise meets your needs is essential for ongoing and seamless PCI DSS compliance.
Based on our many years of experience, we recommend engaging external providers to conduct pentesting. This will allow the entire range of work to be carried out faster and with greater professionalism.
What are the requirements for internal and external testing?
DSS 11.4.2 and 11.4.3 require internal and external penetration testing. Testing can be carried out by either a PCI-certified company or an independent service provider, but high qualifications are mandatory. Previous experience and industry certificates are taken into account.
Requirement 11.4.1 states that internal testing of the Central Data Environment (CDE) is required, and many organisations have not performed this type of work in the past.
Internal and external testing of the entire CDE is required. Penetration testing is therefore increasing in scope, including network and application penetration testing, and will need to be scalable to meet the requirements of PCI DSS 4.0. Any digital environment connected to the CDE, including network, cloud, and hybrid environments, as well as applications such as APIs and web applications, will need to be included in the PCI DSS 4.0 compliance pentest.
How often do you need to conduct penetration testing to comply with the PCI DSS?
Penetration testing should be performed at least once every 12 months in accordance with requirement 11.4 and in the event of any significant infrastructure or application level upgrade or change. This is not only a mandatory requirement – it is considered best practice for all companies that care about cyber defence. Including penetration testing in the software development life-cycle (SDLC) can prevent a number of problems.
PCI DSS also requires repeated penetration testing to ensure that exploitable vulnerabilities have been properly addressed and no longer pose a threat to CDEs.
What do you need to know about segmentation testing?
Segmentation testing is one of the components of penetration testing that is conducted to obtain PCI DSS certification.
DSS requirement 11.4.5 insists that testers confirm that network segmentation is properly implemented. The purpose of this requirement is to confirm that the controls are capable of effectively isolating the CDE from other systems outside of it. To meet this requirement, a series of scans is typically conducted from each network segment.
Paragraph 11.4.6 states that a review of segmentation should be conducted every six months.
Conducting a pentest to pass a PCI DSS 4.0 audit
The highly skilled and experienced Red Team at IT Specialist offers a full range of penetration testing services for businesses of all sizes that need to prepare for PCI DSS 4.0 compliance. Our team of PCI DSS experts can help you determine the right amount of penetration testing to achieve your desired outcome.