Blog

PCI Penetration Testing: A Comprehensive Guide

Date published:

Nov 20, 2024

VikingCloud Team

SHARE ON
SHARE ON

If your company handles and processes card payments, you must comply with rules set by the Payment Card Industry Data Security Standard, or the PCI DSS. These regulations ensure that your IT infrastructure keeps customer card information secure at all times.

One of the best ways to adhere to PCI DSS is to run PCI penetration testing, as it identifies vulnerabilities and weaknesses in your existing security posture.

By mimicking hacking techniques, penetration testers can make security recommendations to help inform a more responsive and reliable defense strategy.

In this guide, we’ll explore what PCI penetration testing involves, how it helps you adhere to PCI DSS compliance, and how you can get started.

What is PCI Penetration Testing?

PCI penetration testing is a security assessment that helps you find weaknesses in your information security that might put card data at risk.

This vulnerability assessment is inspired by the specific requirements of the PCI DSS, set by the PCI Security Standards Council, or the PCI SSC.

Specifically, penetration testers use ethical hacking techniques to:

  • Evaluate the strength of your data security and security controls (such as the functionality of your firewall and robustness of your operating systems)
  • Find hidden flaws that hackers can exploit for unauthorized access
  • Ensure your security posture adheres to compliance standards
  • Assess your incident response strategy against different cyber attack vectors
  • Reduce the possibility of your network getting hacked
  • Provide fresh insight and perspective into your operation’s security standards and internal resource management

PCI penetration testers specifically develop hacking plans that account for sensitive card data – how it is processed, and where it is stored.

For example, an external penetration test might involve inserting code into web forms or running dictionary attacks on login screens.

An internal penetration test, which takes place within a company’s internal network, might test physical security measures and attempt social engineering.

No two penetration tests are the same – and when it comes to protecting your card data in line with PCI DSS, you might choose penetration testing services to focus on a specific area.

Regardless, as experts in PCI penetration testing, we typically advise merchants who process debit and credit card payments to run penetration testing at least once a year. This ensures you're always up to speed with the latest advancements in security technology and hacking behavior.

Alongside a PCI pen test, we also recommend submitting your network infrastructures to automated vulnerability scanning, which can pick up on potential flaws.

What Are the Penetration Testing Requirements Under PCI DSS 4.0?

As of PCI DSS 4.0, companies handling and processing cards must follow:

  • 11.4.2 internal penetration testing  
  • 11.4.3 external penetration testing
  • 11.4.5 network segmentation testing

But what do all these numbers mean in practice?

  • Requirement 11.4.2 refers to internal pen testing measures that submit networks, systems, and apps behind the scenes. Specifically, this testing standard ensures that infrastructures are well supported against potential insider threats and hackers who gain access.
  • Requirement 11.4.3 refers to a standard in external penetration tests where companies must submit any networks, servers, and applications that face the public for evaluation.
  • Requirement 11.4.5, finally, refers to testing segments. Segment testing, specifically, requires a firm’s CDE (cardholder data environment) – which manages card data and other financial information – to be submitted to evaluation.
  • This means it’s often prudent to pen test your CDE separately from your wider network.

PCI DSS requirement 11.4, in general, clearly determines:

  • Who can perform penetration tests
  • When tests can be performed
  • What the scope of such tests are (e.g., cardholder data environments, access points, and connected systems in scope)
  • What’s considered out-of-scope
  • What the specific penetration testing methodology involves (e.g., what’s documented and what each step involves)
  • Which components and tools are used (e.g., application-layer testing and segmentation controls)
  • How tests are reported and documented
  • How remediation of security weaknesses, if any, are to be recommended

Beyond these points, any companies wishing to be compliant under PCI DSS 4.0 should:

  • Undergo wireless security testing as per requirement 11.2
  • Run external and internal vulnerability scans and/or ASV scans regularly, as per requirement 11.3
  • Submit any public-facing APIs and web applications to penetration testing under requirement 6.4
  • Submit to penetration testing at least once a year
  • Retest after significant changes are made to the CDE and/or general infrastructure
  • Run segmentation tests at least twice a year

This can seem like a lot to take in and remember. However, when working with an approved scanning vendor and an expert penetration tester, you can always ensure someone has your back on the finer details.

Key Differences Between PCI DSS 4.0.1 and PCI DSS 3.2.1

Let’s briefly break down the main changes to PCI DSS requirements made between PCI DSS 3.2.1 and PCI DSS 4.0.1, the latest version of the compliance standard.

  • Password security requirements have changed – companies now need to ensure phrases are at least 12 characters long, for example.
  • Companies now need to be explicitly clear on roles and responsibilities under each requirement – and additional requirements such as e-skimming and phishing protection have been added.
  • PCI DSS 4.0.1 now requires companies to add additional access and authentication controls, such as multi-factor authentication (MFA) – particularly applied to card data.
  • 4.0.1 is also much more flexible regarding how companies can find security measures to ensure compliance.
  • The latest compliance standards also explicitly guide users on encrypting and decrypting data, and establish that testing and compliance should be ongoing.
  • A final key point raised in 4.0.1 establishes that firms should keep clearer documentation of their architecture so that it’s simpler to assess broader data management and encryption.

Who is Affected by PCI DSS?

PCI DSS affects businesses that hold and process card and cardholder information. Specifically, that might refer to e-commerce businesses, service providers, traditional merchant services, and SaaS businesses.

It’s good practice to follow PCI DSS if you handle card payments and are in any doubt over the data you store. Failure to maintain data security in line with PCI DSS could result in fines, reputational damage, and loss of customer data and support.

Thankfully, PCI security standards are simple to follow and keep up to provided you work with a professional cybersecurity expert and a verified PCI QSA, or Qualified Security Assessor.

These qualified assessors will have specific certifications to thoroughly test critical systems under PCI’s evolving standards, including at least one security and one audit certification. Some might, for example, even have a CEH or Certified Ethical Hacker certification.

How Long Will a PCI Penetration Test Take?

The average duration of a PCI penetration test is between days and weeks at a time. Unfortunately, there are no average or specific timescales – simply because the environment size and project needs always vary.

The length of time PCI DSS penetration testing takes will depend, too, on the type of testing methodology you opt for. For instance, if you choose black-box penetration testing, your tester approaches your infrastructure completely blind, with no prior knowledge of your processes.

That, typically, can be one of the most efficient pen testing routes – because there’s little in the way of prior research.

White-box penetration testing, meanwhile, provides ethical hackers with as much data as possible on a company's network and processes. It's a longer process, but one that's more comprehensive.

At VikingCloud, we support a white-box model that allows our team to dive deep into client security postures. We therefore carefully assess and advise you of any timescales involved at the very start of your project.

That goes for a specialized application penetration test or specific analysis of your system components – we want to be clear and concise with you from the get-go.

How Much Does PCI Penetration Testing Cost?

You can expect PCI penetration testing to cost anywhere between $5,000 and $40,000. Again, this is a factor that can vary depending on the scale of the environments involved, and your exact requirements needed from testers and hackers.

Again, before we get started with any pen testing projects, we’re always upfront and clear on cost expectations with our clients.

How Often Does PCI Require Penetration Testing?

PCI states that firms should run penetration tests at least once a year, or after changes that directly affect how card information is held and processed.

However, the regulations also expect you to run segmentation tests at least twice a year, too. We recommend following these standards regardless of whether or not you process card information.

Contract a Reliable Penetration Testing Firm

The methodologies used by penetration testing firms vary depending on experience and outlook. At VikingCloud, we bring together a team of seasoned experts who keep abreast of the latest data security developments – and we’re passionate about keeping you and your cardholders safe.

When looking for a penetration testing provider, you might find that some subscribe to different methodology models. These are templates and frameworks set up to help guide PCI pen testing practice – so that all the correct boxes are ticked.

For instance, some testers might observe the OWASP (Open Web Application Security Project) framework and its "Top Ten."

Or, some might follow the OSSTMM, or the Open Source Security Testing Methodology Manual, or the NIST (National Institute of Standards and Technology) Special Publication.

If this all sounds a little overwhelming, don’t worry. Our team is on hand to guide you through a thorough network penetration test that keeps you compliant and your customers’ data safe at all times.

Get in touch today for a consultation, and let's tighten up your security posture with ethical hacking.

SHARE ON
Andrea Sugden
Chief Sales and Customer Relationship Officer
Let’s Talk
To get started with a VikingCloud cybersecurity and compliance assessment, email, call or click:
Contact Us