SlideShare a Scribd company logo

New Penetration Testing Requirements, Explained

SecurityMetrics
SecurityMetrics

Does your business do penetration testing? Check out the most important clarifications made in the PCI Council's penetration testing informational supplement.

Business
1 of 8
Download to read offline
NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED White Paper The most important clarifications made in the PCI Council’s penetration testing informational supplement © 2015 SecurityMetrics
1 To ensure minimal confusion with new PCI DSS requirements, the PCI Council also released a much-needed penetration testing informational supplement in March 2015 to replace the original five-page penetration test guidance written in 2008. In PCI 2.0, penetration test requirements were essen- tially: perform external and internal penetration testing at least annually and after any significant infrastruc- ture/application upgrade or modification. This included network-layer penetration test and application-layer penetration tests. There was a short informational supplement released in 2008 by the PCI Council on penetration testing, but its guidance was very general and still left much room for interpreting what a penetration test really was. PCI DSS 3.0 has expanded requirement 11.3, added clarity, and defined expectations. The recently released 40-page penetration test in- formational supplement was created for merchants, penetration testers, and Qualified Security Assessors (QSAs). It mainly focuses on: • Penetration testing components • Qualifications of a pen tester • Penetration testing methodologies • Penetration testing reporting guidelines We assisted in the creation of this informational supplement, and are eager to see how it will clarify requirements and assist penetration testers, QSAs, and merchants. NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED THE MOST IMPORTANT CLARIFICATIONS MADE IN THE PCI COUNCIL’S PENETRATION TESTING INFORMATIONAL SUPPLEMENT
2 PENETRATION TEST, VULNERABILITY SCAN, OR BOTH? In addition to new penetration testing requirements, PCI 3.0 also updated the SAQ requirements for merchants and the applicability of penetration testing. Based on your SAQ, here’s a handy graph that explains exactly who is supposed to receive penetration tests and vulnerability scans to comply with the PCI DSS. (To determine which type of penetration tests apply, see similar graph on page 5) NEW PENETRATION TESTING METHODOLOGY Let’s review some of the newest and most important changes to PCI 3.0’s requirement 11.3 penetration test requirements. USE INDUSTRY-ACCEPTED APPROACHES (Informational Supplement 4.4) This clarification, included in Req. 11.3, helps us understand an industry-recognized methodology must be used when conducting a penetration test. Remember, the informational supplement was created for merchants, pen testers, and QSAs. This new methodology requirement applies to each of those audiences, but in different ways. Here’s what we mean: • If you’re a merchant: you must make sure that the penetration tester you select uses the correct method- ology and that you act on the report they give you (i.e., fix the problems they find.) • If you’re a penetration tester: you must use the correct pen testing methodology when conducting your test (e.g., NIST 800-115, OWASP Testing Guide, etc.). SAQ A SAQ C INTERNAL VULNERABILITY SCAN NO SCANNING NEEDED EXTERNAL VULNERABILITY SCAN PENETRATION TEST SAQ A-EP SAQ CVT SAQ B SAQ D SAQ B-IP SAQ P2PE Read this article to better understand: Difference Between a Penetration Test and Vulnerability Scan
3 INCLUDE CRITICAL SYSTEMS IN THE PENETRATION TEST (Informational Supplement 2.2.1) A critical system is any additional system outside of the card data environment boundary that could affect card data security. For example, firewalls, IDS, authen- tication servers, etc. Basically, any assets utilized by privileged users to support and manage the card data environment. In PCI 3.0, penetration testers are not supposed to neglect the critical systems in a merchant’s envi- ronment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.
4 CONTINUE EXTERNAL AND INTERNAL TESTING (Informational Supplement 2.2) An internal penetration test is when penetration testers test from the perspective internal to your corporate network, but outside of your card data environment. An external penetration test is when penetra- tion testers test from a perspective of an open public network (Internet) outside of the card data environment.
5 SAQ C INTERNAL PEN TEST EXTERNAL PEN TEST SEGMENTATION CHECK SAQ A-EP SAQ D The definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did. Here’s a quick graphic that explains which penetration tests are required based on your SAQ. PROVIDE AUTHENTICATION IN APPLICATION-LAYER AND NETWORK-LAYER TESTING (Informational Supplement 2.3.1) One of the clarifications detailed in this section is that penetration testers need to conduct an authenticat- ed pen test. This means the customer must provide the penetration tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly. With credentials, the penetration tester can test the system via an administrator role, manager role, or cashier role, etc. and test if someone with a lesser privilege can get information that should only be accessible to someone with a higher privileges. START TESTING NETWORK SEGMENTATION (Informational Supplement 2.4) This is another big change to PCI 3.0 penetration test requirements. When merchants segment their network, they usually do so to take the network segments not involved in card processing totally out of scope for PCI. Segmentation checks are penetration tests that make sure the network segment outside of the Card Data Environment (CDE) is actually out of scope. Penetration testers validate segmentation by running a port scan (often using NMAP) inside the out of scope network segment to try and discover an IP address inside the card data environment. If they can’t see any IP addresses inside the CDE, that network segment is validated as properly segmented (or isolated from the CDE).
6 REVIEW OF PAST VULNERABILITIES AND THREATS (Req. 4.1.6) This brand new requirement explains that both merchants and penetration testers are responsible for reviewing a merchant’s past vulnerabilities. • Merchant responsibility: have you experienced a vulnerability in past 12 months? Like POODLE? Did you make changes? Tell your penetration tester about it so they can design tests to validate your changes. • Penetration tester responsibility: Be aware of general vulnerabilities and threats prevalent in the industry and design tests to check for issues in customers’ networks and applications. MANY COMPROMISED MERCHANTS THOUGHT THEY WERE SECURE AND COMPLIANT, BUT OBVIOUSLY, THEY WEREN’T. PENETRATION TESTS CAN MAKE ALL THE DIFFERENCE IN YOUR DATA SECURITY A penetration test is the MRI for your business. It’s the real-world security testing of the requirements you believe are in place. It’s a way to actually see evidence of problems your security systems may have. If com- promised merchants had tested their environment through a penetration test, they might have found the vulnerability that allowed attackers into their system, before it happened. We encourage you to familiarize yourself with the informational supplement recently released by the PCI Council. When it comes time to comply with the penetration testing requirements, you’ll better understand the who, what, when, where, and why.
7 ABOUT SecurityMetrics has tested over one million payment systems for data security and compliance mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got compliance covered. For questions about your PCI DSS compliance situation, please contact SecurityMetrics: SALES@SECURITYMETRICS.COM OR 801.705.5656

Recommended

How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
SecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
SecurityMetrics
 

Recommended

How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
SecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
SecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
SecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
SecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
SecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
SecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
SecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
SecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
SecurityMetrics
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
SecurityMetrics
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
zechu97
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 

More Related Content

More from SecurityMetrics

HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
SecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
SecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
SecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
SecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
SecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
SecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
SecurityMetrics
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
SecurityMetrics
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 

More from SecurityMetrics (18)

HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 

Recently uploaded

The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
zechu97
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
agatadrynko
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
fakeloginn69
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
Ben Wann
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Avirahi City Dholera
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
usawebmarket
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
BBPMedia1
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
NathanBaughman3
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 

Recently uploaded (20)

The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 

New Penetration Testing Requirements, Explained

  • 1. NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED White Paper The most important clarifications made in the PCI Council’s penetration testing informational supplement © 2015 SecurityMetrics
  • 2. 1 To ensure minimal confusion with new PCI DSS requirements, the PCI Council also released a much-needed penetration testing informational supplement in March 2015 to replace the original five-page penetration test guidance written in 2008. In PCI 2.0, penetration test requirements were essen- tially: perform external and internal penetration testing at least annually and after any significant infrastruc- ture/application upgrade or modification. This included network-layer penetration test and application-layer penetration tests. There was a short informational supplement released in 2008 by the PCI Council on penetration testing, but its guidance was very general and still left much room for interpreting what a penetration test really was. PCI DSS 3.0 has expanded requirement 11.3, added clarity, and defined expectations. The recently released 40-page penetration test in- formational supplement was created for merchants, penetration testers, and Qualified Security Assessors (QSAs). It mainly focuses on: • Penetration testing components • Qualifications of a pen tester • Penetration testing methodologies • Penetration testing reporting guidelines We assisted in the creation of this informational supplement, and are eager to see how it will clarify requirements and assist penetration testers, QSAs, and merchants. NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED THE MOST IMPORTANT CLARIFICATIONS MADE IN THE PCI COUNCIL’S PENETRATION TESTING INFORMATIONAL SUPPLEMENT
  • 3. 2 PENETRATION TEST, VULNERABILITY SCAN, OR BOTH? In addition to new penetration testing requirements, PCI 3.0 also updated the SAQ requirements for merchants and the applicability of penetration testing. Based on your SAQ, here’s a handy graph that explains exactly who is supposed to receive penetration tests and vulnerability scans to comply with the PCI DSS. (To determine which type of penetration tests apply, see similar graph on page 5) NEW PENETRATION TESTING METHODOLOGY Let’s review some of the newest and most important changes to PCI 3.0’s requirement 11.3 penetration test requirements. USE INDUSTRY-ACCEPTED APPROACHES (Informational Supplement 4.4) This clarification, included in Req. 11.3, helps us understand an industry-recognized methodology must be used when conducting a penetration test. Remember, the informational supplement was created for merchants, pen testers, and QSAs. This new methodology requirement applies to each of those audiences, but in different ways. Here’s what we mean: • If you’re a merchant: you must make sure that the penetration tester you select uses the correct method- ology and that you act on the report they give you (i.e., fix the problems they find.) • If you’re a penetration tester: you must use the correct pen testing methodology when conducting your test (e.g., NIST 800-115, OWASP Testing Guide, etc.). SAQ A SAQ C INTERNAL VULNERABILITY SCAN NO SCANNING NEEDED EXTERNAL VULNERABILITY SCAN PENETRATION TEST SAQ A-EP SAQ CVT SAQ B SAQ D SAQ B-IP SAQ P2PE Read this article to better understand: Difference Between a Penetration Test and Vulnerability Scan
  • 4. 3 INCLUDE CRITICAL SYSTEMS IN THE PENETRATION TEST (Informational Supplement 2.2.1) A critical system is any additional system outside of the card data environment boundary that could affect card data security. For example, firewalls, IDS, authen- tication servers, etc. Basically, any assets utilized by privileged users to support and manage the card data environment. In PCI 3.0, penetration testers are not supposed to neglect the critical systems in a merchant’s envi- ronment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.
  • 5. 4 CONTINUE EXTERNAL AND INTERNAL TESTING (Informational Supplement 2.2) An internal penetration test is when penetration testers test from the perspective internal to your corporate network, but outside of your card data environment. An external penetration test is when penetra- tion testers test from a perspective of an open public network (Internet) outside of the card data environment.
  • 6. 5 SAQ C INTERNAL PEN TEST EXTERNAL PEN TEST SEGMENTATION CHECK SAQ A-EP SAQ D The definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did. Here’s a quick graphic that explains which penetration tests are required based on your SAQ. PROVIDE AUTHENTICATION IN APPLICATION-LAYER AND NETWORK-LAYER TESTING (Informational Supplement 2.3.1) One of the clarifications detailed in this section is that penetration testers need to conduct an authenticat- ed pen test. This means the customer must provide the penetration tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly. With credentials, the penetration tester can test the system via an administrator role, manager role, or cashier role, etc. and test if someone with a lesser privilege can get information that should only be accessible to someone with a higher privileges. START TESTING NETWORK SEGMENTATION (Informational Supplement 2.4) This is another big change to PCI 3.0 penetration test requirements. When merchants segment their network, they usually do so to take the network segments not involved in card processing totally out of scope for PCI. Segmentation checks are penetration tests that make sure the network segment outside of the Card Data Environment (CDE) is actually out of scope. Penetration testers validate segmentation by running a port scan (often using NMAP) inside the out of scope network segment to try and discover an IP address inside the card data environment. If they can’t see any IP addresses inside the CDE, that network segment is validated as properly segmented (or isolated from the CDE).
  • 7. 6 REVIEW OF PAST VULNERABILITIES AND THREATS (Req. 4.1.6) This brand new requirement explains that both merchants and penetration testers are responsible for reviewing a merchant’s past vulnerabilities. • Merchant responsibility: have you experienced a vulnerability in past 12 months? Like POODLE? Did you make changes? Tell your penetration tester about it so they can design tests to validate your changes. • Penetration tester responsibility: Be aware of general vulnerabilities and threats prevalent in the industry and design tests to check for issues in customers’ networks and applications. MANY COMPROMISED MERCHANTS THOUGHT THEY WERE SECURE AND COMPLIANT, BUT OBVIOUSLY, THEY WEREN’T. PENETRATION TESTS CAN MAKE ALL THE DIFFERENCE IN YOUR DATA SECURITY A penetration test is the MRI for your business. It’s the real-world security testing of the requirements you believe are in place. It’s a way to actually see evidence of problems your security systems may have. If com- promised merchants had tested their environment through a penetration test, they might have found the vulnerability that allowed attackers into their system, before it happened. We encourage you to familiarize yourself with the informational supplement recently released by the PCI Council. When it comes time to comply with the penetration testing requirements, you’ll better understand the who, what, when, where, and why.
  • 8. 7 ABOUT SecurityMetrics has tested over one million payment systems for data security and compliance mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got compliance covered. For questions about your PCI DSS compliance situation, please contact SecurityMetrics: SALES@SECURITYMETRICS.COM OR 801.705.5656