Ensuring that your company complies with the PCI standard is essential, but relying solely on PCI does not protect your entire organization with a bulletproof security posture. In addition to regular PCI testing, we recommend companies undergo a periodic company-wide penetration test. Protecting cardholder data is crucial, the average data breach of customer data is just under $5 million dollar in Canada. Protecting card data and personal information demonstrates that you value consumer protection. However, there is more than cardholder data at stake in the cyber landscape including employee and staff personal information, intellectual property and trade secrets. Protecting your entire organization against a breach is invaluable.
PCI Pen Test vs Complete Penetration Test
Although both fall under security testing, there are benefits that a full penetration test will provide that is out of scope of PCI compliance. A PCI engagement often consists of automated scans and manual testing, with the main goal of meeting the PCI standard’s checklist – only then a company is considered PCI compliant or not.
A full penetration test, on the other hand, goes beyond the compliance checklist and requirements. A complete penetration testing emulates a real cyber-attack to find weaknesses that would otherwise be overlooked. While the scope and goals of a pen test can differ, typically they consist of testing the security of an entire organizations infrastructure, applications, both internal and external, to exploit discovered vulnerabilities, identify weak system configurations and stretch gained access as far as possible.
What can you expect in a PCI Penetration Test?
Concise scope to test cardholder data environment (CDE) systems and supporting components
A port scan to identify internally and externally exposed services
A vulnerability scan to identify potential weaknesses
Web application security test of in-scope applications
Identify and verify services which are exposed at the CDE perimeter
Segmentation testing to confirm isolation of the CDE
Exploitation of vulnerabilities defined restricted to the defined scope
A report identifying the vulnerabilities found, the risk, targets affected, exploitability, industry references and recommendations.
Generally, if no significant findings are discovered when testing the narrow scope, they will meet PCI DSS requirements for 11.3 and 6.5, but a question that we must ask ourselves is that, if a company is compliant to the PCI standard, is it enough to ensure their security?
What can you expect in a Full Penetration Test?
A complete Penetration test, on the other hand, simulates the actions of how a hacker would attempt to compromise an organization. While it consists of very similar methodologies, the scope and approach may vary drastically. Typically, a full-fledged penetration test assesses the following:
Internal and External network security including topologies and protocols
Mobile app security
OS and Third-Party patching
User awareness through phishing
Escalation of privileges and post-exploitation reconnaissance
Lateral movement across target networks and organizations
Objective-Based Penetration Tests have an even broader scope and are only limited by the defined objectives and organizational boundaries (physical and logical addresses). Packetlabs has conducted specialized testing that included:
Social engineering including phone calling and targeted spear-phishing
Physical security such as RFID badge cloning and tailgating
Device dropping and planting including malicious USB devices and networking devices allowing remote access
Physical security reconnaissance such as dumpster diving and satellite imagery
Open Source Intelligence (OSINT) gathering to identify if your organization has been affected by past data breaches
In a full penetration test engagement, a comprehensive report containing vulnerabilities that were found, attack narratives, exploitation results, exploit chaining and how vulnerabilities identified may be exploited.
In short, a full penetration test consists of everything contained within a PCI penetration test and more. PCI testing is aimed to protect cardholder data from exposure; is not intended to ensure security across an entire organization.
To learn more about penetration testing and how to choose the right penetration testing company, you can read the following article.