Security for organizations dealing with credit cards often boils down to one thing; successful implementation of The Payment Card Industry Data Security Standard, better known as PCI DSS. From securing transactions to increasing customer confidence, PCI DSS compliance is a must in the modern economy. The PCI DSS standard version 3.0 requirements became effective January 1, 2015. While v3 has many changes, one is more impactful, and more challenging to implement, than all the others.
Given the evolution of security threats, network penetration testing is more important than ever. PCI DSS v3 clearly recognizes this fact with significant revisions to penetration testing requirements. Penetration testing must now comply with recognized industry standard testing methodologies, such as those developed by the National Institute of Standards and Technology. NIST, a branch of the US Department of Commerce, publishes clear rules for penetration testing in their “Technical Guide to Information Security Testing and Assessment.”
Penetration testing ensures the cardholder data environment, or CDE, is completely isolated and protected from an organization’s other networks. Perfectly sensible, since no good will come from cardholder information being shared openly on the same network as office email, Internet browsing, and a thousand other apps. The problem is, for many organizations at least, complying with PCI DSS v3’s new penetration testing requirements will be quite difficult.
The difficulty is in the details. Penetration testing skills are specialized, demanding significant training and experience. Many organizations trying for PCI DSS v3 compliance are small, with small IT teams and smaller IT budgets. These organizations certainly don’t have in-house, industry standard penetration testing skills. Contracting the work is straightforward, but expensive, straining those limited IT budgets. In all cases, these organizations have a hurdle to jump in achieving compliance.
While training on staff IT admins to perform penetration testing may sound appealing, it’s not viable. As I mentioned, penetration testing is highly skilled. These skills can’t be force-fed like broccoli to a toddler. They are cultivated over time. IT teams in small organizations are almost stereotypically overextended. Resources just aren’t available to bring these testing skills in-house. Outsourcing, as expensive as it may be, is really the only viable option.
A few words of caution; don’t throw good money after bad chasing PCI DSS v3’s penetration testing compliance requirement. Meticulously select the testing provider. Ensure, in writing, that they perform testing to recognized industry standards for penetration testing. Have them document those standards. Manage expectations by clearly defining, again in writing, that penetration testing isn’t the goal. The goal is testing resulting in compliance with PCI DSS v3 section 11.3’s requirements. Ask if the final report contains a PCI DSS v3 certification compliance statement.
While penetration testing requirements aren’t the only revisions in PCI DSS v3, they pose some of the most significant challenges. Because of these challenges, smaller organizations will struggle climbing the mountain that is PCI DSS v3 compliance. They will summit that mountain with determination, management skill, and key partnerships.