A PCI Pentest is a pentest that has specific requirements under PCI DSS to verify the protection of Cardholder Data. Cardholder data typically consists of credit card numbers, track 2 data and the PCI council has standards that govern how it must be protected. The fundamental difference between a PCI pentest and a conventional test is the why. A PCI Pentest is designed to validate the security of credit cards, and a conventional pentest is to improve security across your organization. There are a few differences in how a PCI Penetration Test is completed including the addition of Segmentation Testing to validate isolation of the environment, mandatory testing for each application role, formalized requirements for annual testing, and after any significant change.

Within a PCI penetration test, there are two types of testing performed including a network-layer penetration test and application-layer penetration testing. These are very similar to conventional penetration testing in that network-layer penetration testing is essentially an infrastructure pentest, and application-layer penetration testing is identical to application security testing.

Who needs to perform a PCI Pentest?

Penetration Testing is a control used by PCI DSS to evaluate the likelihood of a compromise and these specific requirements mandate testing in circumstances that the PCI Council considers riskier. PCI Pentests are mandatory for Tier 1 merchants, specific eCommerce-only merchants covered under SAQ A-EP and service providers falling under SAQ D. While penetration testing is not mandatory for all SAQ, it is always prudent to evaluate the security of your organization regardless of the PCI requirements considering PCI DSS focuses solely on the protection of credit card information, not your brand, customer privacy or security.

The PCI Council specifies in their PCI Penetration Testing Guidance and PCI DSS 11.3 Requirements that a pentest needs to be completed by a qualified internal resource or third-party as long as they are organizationally independent. The PCI guidance specifies the following examples of Penetration Testing certifications that may validate that resources are qualified. Certifications alone are not enough and the council also outlines guidelines for assessing past experience of the consultant.

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • GIAC Certified Penetration Tester (GPEN)
  • GIAC Web Application Penetration Tester (GWAPT)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • CREST Penetration Testing Certifications
  • CESG IT Health Check Service (CHECK) certification

This list is fairly well rounded but not all certifications offer equal evaluation of resources using both theory and practice. At Packetlabs, we always prefer more practical exams including the OSCP, OSCE, GWAPT, GPEN and GXPN.

What is the difference between a PCI Pentest and a Regular Pentest?

A PCI Pentest is largely the same as a conventional penetration test with a few distinctions. Within the requirements, the PCI Council calls out both network-layer and application-layer testing. These mirror conventional infrastructure testing and application security testing with a bit more guidance for a minimum level of vulnerabilities to be considered, mandatory consideration of internal and external risk and the frequency of each assessment. The most important requirements include 6.5 and 11.3.

Requirement 6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.
  • Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

Requirement 11.3: Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

Segmentation Testing is another difference between a conventional assessment and a PCI Pentest. This activity attempts to validate isolation of the PCI Cardholder Data Environment (CDE) and requires the penetration tester to evaluate potential entry points into the CDE depending on which types of segmentation are implemented (e.g., network-based firewall, host-based firewall, VLAN isolation, air gap, etc.).

At Packetlabs, we take this a step further and explore both paths to increase the visibility of what can get in, and also what traffic can come out. Egress traffic (traffic outbound from the zone) is often just as important as Ingress (traffic into the zone) as it is often your last line of defence if a compromise occurs. Service providers have additional requirements including 11.3.4.1:

Requirement 11.3.4: If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Requirement 11.3.4.1: Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

When do you need to perform a PCI Pentest? 

Within the PCI DSS requirements, 11.3.1 and 11.3.2 outline requirements for testing at least annually, or after any significant change. We recommend testing at least three months before your PCI anniversary date. Most PCI Penetration Tests can be completed within a month and may require remediation work in order to ensure there are no exceptions. Two months is often enough if you are already compliant, but for the initial testing, it may warrant significantly more time.

Requirement 11.3.1: Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 

Requirement 11.3.2: Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 

What is a significant change?

The PCI Penetration Testing Guidance document describes a “significant change” as a change that could impact the security of the network, or allow access to cardholder data. This may be as simple as a new remote access system (VPN, Citrix), the introduction of a new server, or significant changes in the application. Organizations may benefit from staggering these changes to align with their pentest schedule to minimize additional costs, but be sure to talk to your penetration tester because there may be more flexible options.

Putting the pieces together

Penetration Testing is a great control to validate the security within your Cardholder Data Environment (CDE). The focus of a PCI Pentest is always to protect credit card information and the security of every business depends on well beyond credit cards. It is crucial to balance both the fulfilment of the PCI requirements and assurance that your customer’s privacy, your brand, and your business are secure. A pentest must be completed by a qualified resource, on at least an annual basis, and consider both internal and external threats to maximize the value of your investment. Please let us know if you have questions regarding your PCI Pentest, or if you’d like to learn more about how we can help.