Penetration Testing in Support of PCI DSS 3.0

The Payment Card Industry (PCI) has recently released version 3 of the Data Security Standard (DSS), which is part of the compliance assessment for entities performing payment card processing, including merchants, processors, financial institutions, and service providers. Paragraph 11.3 of PCI DSS 3.0 requires the implementation of a penetration testing methodology, and greatly expands on the detail specified in version 2 of the PCI DSS. Penetration testing of the Cardholder Data Environment (CDE) is required for participating vendors by June, 2015, and is currently recommended as a best practice.

Penetration testing differs from vulnerability scanning in that it uses advanced hacker techniques to bypass typical security controls. A penetration test takes the view of a malicious outsider (or insider), who is intent on gaining access or control of the network.

A vulnerability scan is often the first step in a penetration test, as the results of the scan may reveal a security hole or simply information about the network that can be leveraged by the attacker to gain access. The penetration tester then uses his or her expert knowledge to exploit configuration errors, application vulnerabilities, or system services to gain a foothold in the network. Often, the penetrator must take multiple steps to fully gain control of a system or to gain access. A hacker may first seek access to a less-sensitive system (usually with less security defenses), and then leverage the internal network capabilities of that system to gain powers not normally available to the attacker when outside the firewall.

As discussed in our article on Network Segmentation, it is a best practice to segregate your CDE from the rest of your network. This helps to stop an attacker in his tracks if all he can gain access to is a non-sensitive system exposed to the Internet, and that system is strongly segregated from those processing credit cards. An additional advantage of segregation, in regards to PCI DSS, is that the penetration testing itself can be restricted to the CDE perimeter and those critical systems related to the support of the CDE. This will reduce the scope of the penetration test, save money, and allow the penetration tester to focus his or her efforts on the critical function of the CDE rather than trying to encompass an entire company network.

Penetration testing must be performed in a carefully planned manner. PCI DSS requires that it be according to an industry standard, such as NIST 800-115 “Technical Guide to Information Security Testing and Assessment”. In most cases, penetration testing should be performed on a specific schedule, with operational personnel on call to respond to services successfully exploited by the tester.

Penetration testing must include network functions such as firewalls and routers, directory services, and other components critical to the functioning of the CDE, in addition to the operating systems used on the servers and workstations. The testing must also include application-layer testing in accordance with industry application security best practices, such as OWASP, SANS CWE Top 25, and CERT Secure Coding. An additional goal of penetration testing is to test the segregation controls to ensure that they really do sufficiently separate the CDE from the rest of the network.

Finally, the penetration testing must test the network from both inside and outside the network. That is, testing must be performed against your network as seen from your customers on the Internet (the location of most hackers), as well as from inside the company firewall (the location of insiders, or a hacker who has penetrated the outer layers of your network defense).

Penetration testing should be performed using a detailed plan. The plan should include when the test is to take place, the IP addresses and systems in scope (and out of scope), and proper contacts in case a network problem should arise. The plan should include secure handling procedures for the results of the test, as they may reveal methods a real hacker could use to penetrate the network. The retention period of the results should be specified, and an approach to remediation of any issues found should be defined. PCI DSS 3.0 specifies that the results of the remediation efforts be provided as part of the PCI assessment.

You should ensure that those performing the penetration test are well versed in the practice and in the applicable standards. The pen-testing team should be able to work closely with operational personnel, to ensure they understand that a test is about to take place, and to be able to respond to the critical findings of the testing team. With the above considerations in mind, you will be able to successfully fulfill the requirements of paragraph 11.3 of PCI DSS 3.0.

Doug Atkinson CISSP – DataPrivia, Inc.