PCI's Bold Move to Define Penetration Testing

In March 2015, the PCI Council released their Information Supplement for Penetration Testing Guidance. This is a fantastic move as previous guidelines were centered on the completion of penetration tests and left the methodology for completing those up to the auditor. With this guidance in place, we now have a clear definition to what qualifies as a penetration test in the eyes of the Council. There isn’t a need to rehash the document for you here, and I encourage everyone to read it. I would like to focus on a few key highlights that I’m happy to see added.In section 2.2, scope is explained in depth. Traditionally, the cardholder data environment (CDE) has been the primary scope for penetration testers. Companies like NetWorks Group would educate clients on the need to expand testing to include systems that could impact the CDE. We are now fortunate enough to have it spelled out in the PCI guidance.“To be considered out of scope for PCI DSS, a system component must be isolated (segmented) from the CDE, such that even if the out of scope system component was compromised it could not impact the security of the CDE. Therefore, the penetration test may include systems not directly related to the processing, transmission or storage of cardholder data to ensure these assets, if compromised, could not impact the security of the CDE.”This is great news for penetration testers in the community. If we can identify that there is a threat to the CDE residing in adjacent networks then we can target them as part of PCI penetration tests. From the client side, this gives you a very real picture of the threat that your user networks, or other adjacent networks, provide to your card holder data.In section 4.2.5, they cover the topic of “post-exploitation”. A thorough and well define post exploitation process has been something NetWorks Group has long incorporated into their penetration testing process. It refers to the actions taken after the initial compromise of a system or device. Often we come into environments where penetration tests have been previously conducted and they stop at the device itself without evaluating the value of that device inside of the environment or as it relates to the CDE.The PCI counsel has included VERY helpful charts in the guidance that I think business who are evaluating their environment will find the most helpful. The first one is in section 2.1 which helps organizations distinguish between vulnerability scans and penetration tests. NetWorks Group has assisted numerous organizations understand the differences between these two. Unfortunately, we often times end up helping them after they have received what appears to be a vulnerability report when they actually paid for a penetration test.Section 5.4 helps organizations to evaluate the penetration testing reports they receive from vendors. I personally love this about the new guidance. As a penetration tester, the “deliverable” that we present to the client is the most important part about our business. It needs to contain information that is most relevant to the client to help them assess the risk an attacker poses to their environment. The reports that NetWorks Group puts out have been long admired by auditors to meet the criteria they look for when auditing the organizations. This new section now gives folks receiving penetration testing reports from other companies a yard stick to measure the quality of the reports they are getting.In the end, I feel this is a great step forward for PCI guidance and NetWorks Group has been in line with these changes for some time now. This should absolutely raise the bar for other companies and force them to give the quality penetration tests that merchants have needed for a very long time.

Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.