Any organization that processes, stores, or transmits payment card data has to comply with the Payment Card Industry Data Security Standards (or PCI DSS). Whether you’re a mom-and-pop soda shop or a retail goliath, you have to abide by this set of industry-created and industry-maintained data security guidelines.
For every organization subject to PCI DSS, that means annual compliance demonstration and regular security tests – sometimes self-administered and sometimes conducted by a third-party organization in a PCI compliance audit. One of these important tests is called a “penetration test,” and it offers some useful insight into how and why PCI DSS works.
How a Penetration Test Works
What is a penetration test?
On one level, it’s a network attack like any other, but this “attack” is conducted by yourself or a third-party security partner in an attempt to expose potential vulnerabilities. Make no mistake: it’s a full-fledged attempt to break in to your system and try to get credit card data. At its most effective, a penetration test will simulate attacks ranging from malicious software to human hacking, detailing whether your system’s defenses stand or fall.
PCI requires one of these tests be conducted annually. It doesn’t have to be done by a third party, but most organizations find that they want to use a partner. That partner can provide an objective view without being biased by prior knowledge of your system, and they can also bring specialized expertise in the most common attack techniques, so they can conduct the same activities that the bad guys will, giving you the most relevant perspective of your susceptibility. They won’t have an extensive knowledge of your particular network environment – including its particular strengths and weaknesses – so they can bring an authentic intruder’s perspective.
Why You Need an Authentic Intruder's Perspective
An authentic intruder’s perspective is essential. A penetration test isn’t just kicking the tires of your system, but it’s also taking it out for a drive and making sure it holds up to the rigors of the road – including the treacherous curves of real intruders and real malware. In the past, some businesses in do-it-yourself-mode downloaded sketchy and unreliable “penetration test tools” online to fulfill this PCI DSS requirement.
But the most recent version of the standard clarifies that the test has to be conducted according to generally accepted methodologies. In the current environment, you can still conduct the test yourself, and use more widely respected software and processes, but many organizations seek out third-party security experts for the comprehensiveness and sense of confidence they confer.
Here’s why: the simple fact is, there’s no point in conducting a penetration test if you’re not going to take it seriously. You could say the same about network security in general: it needs to be part of a robust effort to protect your business and protect consumers’ data. When conducted seriously and regularly, these tests can help safeguard your customers, your sensitive data, and your business going forward.
To learn more about penetration testing and how to handle it for your firm, download our free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Get a Quote for PCI Services
Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.
Download LBMC's PCI Compliance Guide
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.