PCI security council publishes penetration testing guide

The body that administers the payment card industry data security standard (PCI DSS) has published a guide on penetration testing

The body that administers the payment card industry data security standard (PCI DSS) has published a guide on penetration testing.

The move comes just two weeks after Verizon’s 2015 PCI Compliance Report revealed that testing security systems is the only area of the PCI DSS where compliance has fallen in the past year.

According to the Verizon report, compliance between 2013 and 2014 increased by 18% on average for 11 of the 12 PCI DSS requirements.

But among organisations that met 95% of the controls, more than half failed requirement 11 for regularly testing security systems and processes.

Version 3.0 of the PCI DSS introduced a directive that organisations implement a formal penetration testing methodology.

The Penetration Testing Guidancepublished by the Payment Card Industry Security Standards Council (PCI SSC) – is aimed at helping organisations establish a strong methodology for regularly testing security controls and processes in accordance with PCI DSS requirement 11.3.

Read more about the PCI SSC

Benefits of penetration testing

According to the PCI SSC, organisations can use penetration testing to identify vulnerabilities, to determine whether unauthorised access to their systems or other malicious activity is possible.

Penetration testing is a critical tool to verify that appropriate segmentation is in place to isolate the cardholder data environment from other networks, and to reduce PCI DSS scope, the council said.

The PCI SSC said networks considered out of scope are often compromised because of poor segmentation methods.

The guide, developed by a PCI Special Interest Group of industry experts, aims to help organisations of all sizes, budgets and sectors evaluate, implement and maintain a penetration testing methodology.

Testing methodology best practice

Best practice addresses:

  • Understanding the different components that make up a penetration test;
  • Determining the qualifications of a penetration tester;
  • Understanding penetration methodologies;
  • Developing a comprehensive penetration test report.

The guide updates guidance published in 2008 and includes three case studies and a quick-reference guide for navigating the penetration testing requirements.

“Penetration testing is a critical component of the PCI DSS,” said Troy Leach, PCI SSC chief technology officer.

“It shines a light on weak points in an organisation’s payment security environment which, if unchecked, could leave payment card data vulnerable.”

Read more on Privacy and data protection