- API Penetration Testing

How to Select a Qualified Penetration Testing Provider for PCI DSS Compliance

PCI DSS violations can result in hefty penalties for businesses and choosing the right pentester is key to meeting compliance obligations
A pentest (penetration test) is an attack performed on a computer system at the owner's request by seasoned computer consultants, acting much like cybercriminals. The idea is to ascertain whether the client's system is robust enough to stand up to real-life cyber threats. Cyber consultants use pretty much the same range of tools, techniques, and processes that cybercriminals use to orchestrate their vicious attacks.

Understanding pentests a little better

Very often, different types of pentests are carried out, involving network services, applications, client side, wireless, social engineering, and physical to help pinpoint vulnerabilities that could be potentially compromised by hackers.

Pentests might also be external or internal. An external pentest mimics the attack tactics of a remote threat actor, operating from outside the client network. The objective is to identify potential vulnerabilities in the client's security perimeter that the attacker might be able to exploit to sneak into the system and compromise critical data. Typically, an internal pentest follows an external test. The focus of an internal pentest is to identify what attackers can do once they have gained a foothold in the organizational network.

A pentest can take anything between one and three weeks, depending on the nature of the test, the number of computer systems to be tested, and the strength and resilience of the client's cyber defenses. Essentially, a pentest identifies security vulnerabilities in the system and helps figure out how an organization's overall defenses weigh up against the risk of a potential cyberattack. However, this kind of simulated cyberattack can benefit a business in a number of other ways as well. These include supporting compliance with data privacy and security regulations, like PCI DSS, for instance.

PCI DSS pentesting

Payment Card Industry Data Security Standard (PCI DSS) is a security baseline for all entities that store, process, or transmit credit cardholder data and/or sensitive authentication data to keep such data safe from frauds and breaches across the entire payment ecosystem. A merchant who accepts or processes payment cards must also comply with the standard. Since 2006, PCI SSC, an independent body created by major payment cards, (Visa, MasterCard, American Express, Discover and JCB), is responsible for administering the PCI DSS standard.

PCI DSS Requirement 11.3.1 mandates that service providers in the card payment ecosystem perform external pentesting no less than once every year, as well as after any significant upgrade or modification "that could allow access to cardholder data or affect the security of the cardholder data environment…" PCI DSS also calls for external and internal vulnerability assessments on a quarterly basis to uncover vulnerabilities, but pentesting is a different activity all-together. Pentesting, in respect of PCI DSS, has to include external and internal testing of network and application layers as well as the surrounding controls.

PCI DSS pentesting may be performed by qualified internal resources or third-parties so long as they are not currently involved or have not previously been involved in the installation, maintenance, or support of in servers, workstations, network devices, applications, and the like. The word "qualified" carries a lot of significance here. Because failure to meet PCI DSS compliance can result in hefty penalties for businesses in the range of $5,000-$100,000 per month, besides loss of reputation, customer loyalty, and revenue. Moreover, businesses must bear the cost of forensic audits in the event of a data breach.

Customers whose data have been put at risk routinely launch class action suits demanding that they be adequately compensated. Companies might also be sued by banks and payment processors (e.g., PayPal, Square). In February 2022, American credit rating agency Equifax agreed to cough up $425 million, including for PCI DSS violations, after a data breach in 2017 exposed personally identifiable information of 147 million people! An unpatched vulnerability in a web application framework is believed to have resulted in the data exposure. So, to identify exploitable weaknesses in the organization's cyberdefense and avoid hefty fines and reputational damage, it's important to hire only qualified pentesters. An ideal "qualified pentester" will have skills, functional knowledge, several years of hands-on experience, and relevant certifications to top it all.

Specific skills and knowledge

Apart from a bachelor's in computer science, IT, cybersecurity, computer engineering, or information assurance, a good PCI DSS pentester can be expected to have at least some of the following pentesting certifications. Not one of these certifications is mandatory, but most of them indicate an in-depth understanding of not just pentesting but also of the larger universe of ethical security hacking and its practical applications in real-life scenarios:

Offensive Security Certified Professional (OSCP) is offered by Offensive Security Services LLC, USA. This is a difficult and practice-oriented certification that requires candidates to successfully penetrate live machines in a lab environment.

Certified Ethical Hacker (CEH) is from the International Council of Electronic Commerce Consultants (EC-Council) based in Albuquerque, New Mexico. CEH requires candidates to demonstrate the use of tools used by cybercriminals, of course, in a legitimate manner.

Global Information Assurance Certifications (GIAC) are provided by Maryland-based SANS Institute. Certifications like GIAC Certified Web Application Penetration Tester and GIAC Exploit Researcher and Advanced Penetration Tester require the performance of real-world testing tasks involving web application exploits in systems and networks.

CREST Penetration Testing Certifications are from the Council of Registered Ethical Security Testers (CREST) based in Vancouver, Canada / Solihull, UK. In this examination, candidates are required to identify known vulnerabilities across networks, applications, and databases.

The UK Government's CESG CHECK IT Health Check Scheme (CHECK) requires candidates to legitimately mimic the activities of hackers and access critical Internet-facing systems. Evading intrusion-detection systems as well as vulnerability detection and exploitation are key learning blocks of this program.

Real-world experience

Certification is not a substitute for years of real-world experience of pentesting. So, relevant experience is a key consideration when hiring a pentester. In the case of pentesters with less than a year of experience, it is prudent to validate their experience of and direct involvement with real-world testing scenarios. It also pays to check out the pentester's credentials with previous clients, as also the quality and extent of testing done for them. Pentesters referred by other customers very often turn out to be better than, say, an unknown quantity.

Besides, the tester, the credentials and experience of the organization she/he is working for are also very useful criteria. All said, the organization and the testers it employs should have practical experience of the specific technologies deployed in the environment that is proposed to be tested. Before making a decision, consider things like whether the tester and her/his organization have practical knowledge of network-layer pentesting, application layer pentesting, and application securing standards (OWASP Top 10). Make sure they have worked with organizations of similar size and scope in the past.
It may not be possible to tick all the boxes when selecting a pentester to perform PCI DSS assessment, since the talent pool is more or less shallow. However, the above discussion should serve as a pointer for service providers in the card payment ecosystem who are required to carry out pentests from time to time.

Stay in the loop. We will be back soon with more stories on cybersecurity. Meanwhile, you can address your queries on PCI DSS and other security issues to the Cyberlands team. We will be more than happy to assist you! Team