PCI Penetration Testing – What You Should Know

What is a Penetration Test?

A penetration test, also called a pen test, is a type of security assessment where an ethical hacker simulates the actions of a malicious user.  Pen testing includes hunting for vulnerabilities as well as launching exploitation attacks.  The goal of penetration testing is to determine if a nefarious individual would be able to gain unauthorized access to a target’s features and data.  A detailed penetration test will evaluate the security of a system and identify both weaknesses and strengths.

Penetration testing is often categorized as black-box, white-box or grey-box.  Black-box penetration testers begin without knowing any prior client information, except perhaps the name of the target organization.  On the other hand, a white-box penetration test provides the tester with as much information as possible about the target, including network maps, application details and even login credentials.  A grey-box assessment is somewhere in the middle, with partial information provided to the testing team.  A grey-box penetration test is the most common type of test and is often considered the option that provides the most accurate and comprehensive results.

What is special about a PCI Penetration Test?

PCI pen testing has the goal of determining if a malicious user can access resources that affect the security of payment card data.  So, the scope of testing for a PCI penetration test often differs from a more general pen test.  While a general pen test might cover an organization’s entire network, a PCI penetration test focuses on the security of cardholder data.  Specifically, a PCI penetration test will focus on the cardholder data environment which is defined as “the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”    

PCI Segmentation Testing

PCI DSS penetration testing helps to confirm whether various PCI mandated protections are in place and functioning properly.  One of the controls required by PCI DSS involves the proper segmentation of card holder data.  Since many elements of the organization’s network might be considered out-of-scope for a PCI penetration test, PCI penetration testing needs to examine whether segmentation is functional and working as intended.   Port scanning is an effective way to discover and identify any routes from out-of-scope systems to systems inside the CDE.

Should a PCI Penetration Test be Black-box, White-box or Grey-box?

It is recommended that PCI pen tests are performed in a grey-box style.  While black-box assessments have significant value, starting with no prior information will require more time and resources in order to be completed in a comprehensive and thorough manner.  Grey-box testing will assist the tester in efficiently providing the deliverables expected for PCI penetration testing.