You’re PCI Compliant. Now What?

Did you know? Ensuring your company complies with the PCI (Payment Card Industry) standard is essential, but relying solely on PCI does not guarantee your entire organization a bulletproof security posture. In addition to regular PCI testing, we recommend companies undergo a periodic company-wide penetration test to identify all potential areas of vulnerability.

Protecting cardholder data is crucial, with the cost of the average data breach of customer data in Canada clocking in at just under five million dollars. However, PCI compliance in itself doesn't necessarily safeguard employee and staff information, intellectual property, and trade secrets: in today's blog, our pentesters provide an overview on how (and why!) penetration testing fills in those security gaps.

PCI Penetration Testing vs. 95% Manual Penetration Testing

Although both PCI-related pentesting and Packetlabs' 95% manual penetration testing fall under the umbrella of security testing, there are benefits that a full penetration test will provide that are out of the scope of PCI compliance.

A PCI engagement often consists of automated scans and manual testing, with the primary goal of meeting the PCI standard’s checklist: only then is a company considered PCI compliant. A full 95% manual penetration test, on the other hand, goes beyond the compliance checklist and requirements. Complete penetration testing emulates a real cyberattack to find weaknesses that would otherwise be overlooked.

While the scope and goals of a pentest can differ, typically they consist of testing the security of an entire organization's infrastructure, and applications, both internal and external, to exploit discovered vulnerabilities, identify weak system configurations, and stretch gained access as far as possible.

What Can You Expect From a PCI Penetration Test?

When it comes to PCI compliance, you can expect the following from a penetration test:

• Concise scope to test cardholder data environment (CDE) systems and supporting components

• A port scan to identify internally and externally exposed services

• A vulnerability scan to identify potential weaknesses

• Web application security test of in-scope applications

• Identify and verify services which are exposed at the CDE perimeter

• Segmentation testing to confirm isolation of the CDE

• The exploitation of vulnerabilities defined restricted to the defined scope

• A report identifying the vulnerabilities found, the risk, targets affected, exploitability, industry references, and recommendations

Generally, if no significant findings are discovered when testing the narrow scope, the organization in question will meet PCI DSS requirements for 11.3 and 6.5. However, a question that we must ask ourselves is whether, if a company is compliant with the PCI minimum standard, is that enough to ensure their own security? In the majority of cases in 2023 and beyond, the answer to this is no.

What Can You Expect From a Complete Penetration Test?

A complete penetration test, on the other hand, simulates the actions of how a hacker would attempt to compromise an organization. While it consists of similar methodologies, the scope and approach may vary drastically.

Typically, a full-fledged penetration test assesses the following:

• Internal and external network security including topologies and protocols

• Web applications

• Mobile app security

• Operating systems

• System configuration

• Authentication

• Cryptography

• OS and third-party patching

• Vulnerable services

• User awareness through phishing

• Escalation of privileges and post-exploitation reconnaissance

• Lateral movement across target networks and organizations

Objective-based penetration tests have an even broader scope and are only limited by the defined objectives and organizational boundaries (physical and logical addresses). Packetlabs has conducted specialized testing that included:

• Social engineering, including phone calling and targeted spear-phishing

• Physical security, such as RFID badge cloning and tailgating

• Device dropping and planting including malicious USB devices and networking devices allowing remote access

• Physical security reconnaissance such as dumpster diving and satellite imagery

• Open Source Intelligence (OSINT) gathering to identify if your organization has been affected by past data breaches

In a full penetration test engagement, a comprehensive report containing vulnerabilities that were found, attack narratives, exploitation results, exploit chaining, and how vulnerabilities identified may be exploited will be delivered.

Conclusion

In short, a full penetration test consists of everything contained within a PCI penetration test and more. PCI testing is aimed at protecting cardholder data from exposure; is not intended to ensure security across an entire organization.

Here at Packetlabs, we aim to leave your digital space safer than we found it. We break things apart to build better. By educating and consulting, we are your trusted guide through daunting cybersecurity challenges.

Reach out to our team today for your free, zero-obligation penetration testing quote, or sign up for our newsletter for more industry education and news.