PCI Issues Penetration Test GuidanceExperts Debate Whether Advice Goes Far Enough
New guidance from the PCI Security Standards Council specifies how businesses should use penetration testing to identify network vulnerabilities that could be exploited for malicious activity.
But while one payments security expert says the guidance could help ensure ongoing compliance with the Payment Card Industry Data Security Standard and improve card security, another says the guidance doesn't go far enough.
Penetration testing is a critical tool for verifying that segmentation is appropriately in place to isolate the cardholder data environment from other networks, the council states in its March 26 guidance release.
"Penetration testing is a critical component of the PCI-DSS," says Troy Leach, chief technology officer of the council. "It shines a light on weak points within an organization's payment security environment which, if unchecked, could leave payment card data vulnerable."
The guidance includes insights about:
- Understanding the different components that make up a penetration test;
- Determining the qualifications of a penetration tester, whether internal or external, through experience and certifications;
- Defining methods used for penetration testing that address the pre-test, test and post-test findings;
- Developing a comprehensive penetration test report.
A Missing Element?
One payments security expert says the guidance comes up short. "Unfortunately, the PCI Council did not go far enough to require that penetration testing be a manual process, rather than allowing automated penetration-testing tools to be used," says the payments expert, who asked not to be named.
Manual penetration tests are random tests waged against a network by a skilled network tester, rather than an automated tool. Manual testing is well-suited to evaluating vulnerabilities from many different vantage points, or attack vectors, the expert contends. In contrast, automated penetration tools from vendors can only test limited vantage points, he says.
"Clearly, these vendors were successful in lobbying the council to temper its requirements for penetration testing," the expert adds.
A Positive Step?
But Charles Henderson, vice president of managed security testing at security and forensics investigation firm Trustwave, says the new guidance should encourage more businesses to check and test network segmentation. Inadequate segmentation has led to many card data compromises, apparently including the Target breach.
Henderson says most businesses only test vulnerabilities on systems and networks that hold card data. But if these are not properly segmented, hackers can access them through attacks that invade any point on the network, he adds.
"Inadequate segmentation is far more likely to be uncovered under the new guidance, and businesses must test their segmented networks thoroughly to help ensure their data is secure," Henderson says. "The guidance should also help businesses segment off a smaller cardholder environment."
When helping businesses achieve security and PCI-DSS compliance, Trustwave often finds that businesses have unnecessarily large cardholder environments - meaning they are storing card data on more systems than they realize or that their network is not properly segmented, he says.
"A smaller target is easier to protect," Henderson adds. "It doesn't directly eliminate the problem, but it does make businesses take segmentation more seriously."
The new guidance requires that businesses actually attempt to exploit the vulnerabilities they identify. It's not enough to identify a vulnerability and fix it; businesses must wage simulated attacks against their networks by exploiting the vulnerabilities they find to help determine the level of risk, Henderson says.
And while exploitation requirements were already noted in version 3.0 of the PCI-DSS, Henderson says many businesses have been reluctant to exploit vulnerabilities during a test. "The new guidance makes it crystal clear - penetration testers must identify and exploit vulnerabilities," he says.