PCI Compliance: Vulnerability Scans & Penetration Tests

By Matthew Brincefield, Lead Penetration Tester

This is the final of a six-part blog series about PCI compliance.

Throughout this series, we have referred to the PCI Data Security Standard to lead our discussion on PCI compliance. The PCI DSS has helped us define the scope of compliance, outline the necessary reporting requirements, and understand readiness assessments and remediation efforts. Today, as we conclude this series, we want to drill down on specific, but critical, PCI DSS requirements—vulnerability scans and penetration tests.   

Similar Goals, but Differences Exist

Vulnerability scans and penetration tests determine whether and how a malicious user could gain unauthorized access and affect the security of a network and/or cardholder data, but before we discuss these security controls in detail, we should mention some important differences between them.

What do they test? There is a notable difference here, as vulnerability scans identify, rank, and report security vulnerabilities that, if exploited, could intentionally or unintentionally compromise a system; penetration tests identify ways to exploit vulnerabilities and overcome security features of system components. 

How are they conducted? Vulnerability scans are usually done by automated tools, they typically report the potential risks posed by known issues, and they can be completed in a relatively short amount of time (several seconds to several minutes); penetration tests include manual testing and describe each vulnerability and potential risk discovered, and they are very informative and can take days or weeks to complete.

When must they be conducted? Per PCI DSS, vulnerability scans are required at least quarterly and after any significant change in the network; penetration tests are required annually and after any significant change in the network (PCI DSS defines a “significant change” as any infrastructure upgrade or modification or new system component installation).

Internal and External Vulnerability Scans

Internal: Internal vulnerability scans must be conducted by qualified personnel who are reasonably independent from the host being scanned. In addition, the scans need to be repeated until all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved. For these reasons, many organizations choose to have a third-party scanning vendor perform the work.

External: External vulnerability scans must be performed by a PCI SSC Approved Scanning Vendor (ASV) and must be repeated until they pass. Passing generally means that most vulnerabilities with a Common Vulnerability Scoring System (CVSS) rated Medium or High have to be resolved. Exceptions to this generalization are documented in the ASV Program Guide.

Penetration Test Types, Tester Qualifications

PCI DSS requires that penetration testing must be performed both internally and externally and validate any CDE segmentation that may be present within your system. Everything that is in scope of your payment system must be tested.

Black Box: In black-box penetration testing, the client provides no information of the system design to the tester prior to the beginning of the test. These types of tests can be more costly for your business because they require considerably more time to complete.

Grey Box: Clients who wish to employ grey-box testing may provide the tester with only partial details of the system design. This method saves time, and therefore money, but still gives you an idea whether a malicious user with little to no previous knowledge of your system will could infiltrate your network.

White Box: White-box penetration testing is generally considered to be the most effective form of penetration testing. With this method, the client provides the tester with complete details of the network and application. With white-box testing, the tester can critically analyze every aspect of your system, not just the ones that present itself during the test. This way, you will be able to ensure that your security system can protect you, even from a malicious user who is extremely familiar with the ins and outs of your network.

According to the PCI SSC, a penetration tester must be “organizationally separate from the management of target systems,” so you will likely have to look outside of your organization for a qualified, independent penetration tester.

Qualified penetration testers, like Carson Inc., should hold several testing certifications including, but are not limited to:

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • CREST Penetration Testing Certifications
  • Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) Certification

What Carson Inc. Can Do For You

Security breaches of personal information pose a constant threat to consumer confidence in every company that collects and stores payment card information. Network and cardholder data security is a vital piece to any business; you have to ensure your systems are protected. As an approved PCI Qualified Security Assessor, Carson Inc. can help you complete required network monitoring and testing, in accordance with PCI DSS. With this qualification, Carson Inc. is poised to help your company manage data security risks, evaluate the security of your systems, and ensure total PCI compliance.

We hope you have found this series on PCI compliance useful, and we encourage you to stay connected with the Carson Blog for more on current IT-security topics and issues.

PCI Compliance Series

Part 1: “What is PCI Compliance?”
Part 2: “Scope”
Part 3: “How to Complete Reporting Requirements” 
Part 4: “Readiness Assessment”
Part 5: “How to Develop a Remediation Plan”