Ensuring PCI Compliance with Penetration Testing

Understanding the legal issues surrounding the PCI Data Standard is a challenge in itself. There are a multitude of practical and operational issues that IT organizations have to address to ensure compliance.

The payment card industry represents a major target for attackers seeking access to credit card and consumer information. All of the major credit card and payment providers have adopted data security standards, referred to as PCI data security standards. PCI provides qualifications, training, and guidelines for security assessors. If you accept credit cards or other types of electronic payments you should become familiar with these data security standards.

The Payment Card Industry (PCI) standard is a 'security guideline' developed by credit card companies to ensure the proper handling and protection of cardholder account and transaction information.

The PCI standard encompasses the following requirements for the secure handling of credit.

Requirements for PCI Compliance

PCI Penetration Testing.
Requirement for penetration testing systems resides in Requirement 11.3, 11.3.1 11.3.2 in particular:

Requirement 11: Regularly test security systems and processes
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.

• 11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.
• 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
• 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
• These penetration tests must include the following:
• 11.3.1 Network-layer penetration tests
• 11.3.2 Application-layer penetration tests.

Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company’s internal staff.

Non Compliance with PCI
Those failing to meet the required compliance may face fines (that can be up to $500,000 per incident) or restrictions by card companies such as Visa, MasterCard and American Express. Depending on the level the merchant or service provider, proving PCI compliance necessitates that a merchant undergo auditing a third party.