You’re PCI Compliant, now what?


Ensuring that your company complies with the PCI standard is essential, but relying solely on PCI does not protect your entire organization with a bulletproof security posture. In addition to regular PCI testing, we recommend companies undergo a periodic company-wide penetration test. Protecting cardholder data is crucial, the average data breach of customer data is just under $5 million dollar in Canada. Protecting card data and personal information demonstrates that you value consumer protection. However, there is more than cardholder data at stake in the cyber landscape including employee and staff personal information, intellectual property and trade secrets. Protecting your entire organization against a breach is invaluable.

PCI Pen Test vs Complete Penetration Test

Although both fall under security testing, there are benefits that a full penetration test will provide that is out of scope of PCI compliance. A PCI engagement often consists of automated scans and manual testing, with the main goal of meeting the PCI standard’s checklist – only then a company is considered PCI compliant or not.

A full penetration test, on the other hand, goes beyond the compliance checklist and requirements. A complete penetration testing emulates a real cyber-attack to find weaknesses that would otherwise be overlooked. While the scope and goals of a pen test can differ, typically they consist of testing the security of an entire organizations infrastructure, applications, both internal and external, to exploit discovered vulnerabilities, identify weak system configurations and stretch gained access as far as possible.

What can you expect in a PCI Penetration Test?

  • Concise scope to test cardholder data environment (CDE) systems and supporting components

  • A port scan to identify internally and externally exposed services

  • A vulnerability scan to identify potential weaknesses

  • Web application security test of in-scope applications

  • Identify and verify services which are exposed at the CDE perimeter

  • Segmentation testing to confirm isolation of the CDE

  • Exploitation of vulnerabilities defined restricted to the defined scope

  • A report identifying the vulnerabilities found, the risk, targets affected, exploitability, industry references and recommendations.

Generally, if no significant findings are discovered when testing the narrow scope, they will meet PCI DSS requirements for 11.3 and 6.5, but a question that we must ask ourselves is that, if a company is compliant to the PCI standard, is it enough to ensure their security?

What can you expect in a Full Penetration Test?

A complete Penetration test, on the other hand, simulates the actions of how a hacker would attempt to compromise an organization. While it consists of very similar methodologies, the scope and approach may vary drastically. Typically, a full-fledged penetration test assesses the following:

  • Internal and External network security including topologies and protocols

  • Web applications

  • Mobile app security

  • Operating systems

  • System configuration

  • Authentication

  • Cryptography

  • OS and Third-Party patching

  • Vulnerable services

  • User awareness through phishing

  • Escalation of privileges and post-exploitation reconnaissance

  • Lateral movement across target networks and organizations

Objective-Based Penetration Tests have an even broader scope and are only limited by the defined objectives and organizational boundaries (physical and logical addresses). Packetlabs has conducted specialized testing that included:

  • Social engineering including phone calling and targeted spear-phishing

  • Physical security such as RFID badge cloning and tailgating

  • Device dropping and planting including malicious USB devices and networking devices allowing remote access

  • Physical security reconnaissance such as dumpster diving and satellite imagery

  • Open Source Intelligence (OSINT) gathering to identify if your organization has been affected by past data breaches

In a full penetration test engagement, a comprehensive report containing vulnerabilities that were found, attack narratives, exploitation results, exploit chaining and how vulnerabilities identified may be exploited.

To Summarize

In short, a full penetration test consists of everything contained within a PCI penetration test and more. PCI testing is aimed to protect cardholder data from exposure; is not intended to ensure security across an entire organization.

To learn more about penetration testing and how to choose the right penetration testing company, you can read the following article.