Olivier Le Moal - Fotolia
In an effort to help enterprises hurdle an ongoing compliance stumbling block, the PCI Security Standards Council (SSC) has issued new supplemental guidance on penetration testing.
The PCI SSC's guidance on penetration testing, developed by a PCI Special Interest Group (SIG) of industry experts, aims to help organizations of all sizes, budgets and sectors evaluate, implement and maintain a penetration testing methodology. Experts said the new guidelines are much more prescriptive than in the past, which should help organizations.
"While many security testing companies have already included similar elements in their own methodologies, the PCI SSC has now established a clear standard," said Sherri Davidoff, founder of Missoula, Mo.-based security consulting firm LMG Security. "This will help ensure clear expectations between customers, security testers and the PCI SSC."
Originally slated for release last year but delayed due to the SSC's focus on other guidance related to the release of PCI DSS 3.0, the new SIG guidance comes on the heels of Verizon's newly released 2015 PCI Report, which showed that the pen-testing mandate with the PCI DSS was the only area where compliance fell year over year.
Experts noted that a major point of confusion for enterprises has been PCI DSS Requirement 11, which concerns security testing; according to Verizon, a third of enterprises fail to pass the requirement that calls for four quarterly vulnerability scans during a 12-month period, and nearly that many fail to acequately rescan until all "high-risk" vulnerabilities are resolved.
"This requirement, specifically 11.3.x, is new for small businesses and this guidance is intended to help reduce any confusion on the subject," said Ben Causey, CEO of Birmingham, Ala.-based security consulting firm Zero Day Consulting. "For many years, regulatory and compliance requirements have been ambiguous and vague, leaving much of the interpretation up to the assessor or impacted business."
According to According to Charles Henderson, vice president of managed security testing at Chicago-based security vendor Trustwave Inc., the new guidelines are the most detailed and evolved guidance ever given for that reqirement, and are especially useful because of the detailed differences between a vulnerability scan and a penetration test.
In its supplemental guidance, the SSC notes that the differences between vulnerability scans and penetration tests still cause confusion within the industry; the guidance describes in detail the differences. Vulnerability scans are used to identify vulnerabilities, should be performed quarterly, can be done with automated tools, and can be done quickly. Penetration tests, on the other hand, are used to identify ways to exploit known vulnerabilities, should be performed annually, are expected to be done manually resulting in a comprehensive report, and may take days or weeks to complete.
According to Causey, this level of clarity should improve the security of businesses under the PCI umbrella because it should help reduce the number of organizations that have been "rubber-stamping compliance documentation."
However, Causey does worry that the more explicit guidelines could be cost prohibitive for some companies.
"Moving from a 'scan requirement' to a 'pen-test requirement' is a huge and expensive step," Causey said. "Companies can expect to spend anywhere from $3,000 to $100,000+ depending on size, and anywhere from a few days to a few months in their efforts to accomplish this."
Henderson agreed that there would be added cost for testing because it is outlined in the guidelines as a manual process which adds a human layer to the testing, but he expects that increase in cost to be offset by organizations removing unnecessary applications from testing and by implementing segmentation best practices.
"If you want to keep pen testing to the same cost, you need to reduce the scope," Henderson said. "There is an element of this document that makes it clear what a pen test is and raises the bar for pen testing, and there is an unspoken aim to reduce scope and shrink the battlefield."
Davidoff said that part of reducing scope could also come from new guidance regarding how and when third-party systems need to be included in testing.
"The PCI SSC has weighed in and specifically provided guidance which addresses third-party approval and clarifies when third-party systems should (or should not) be included in the scope of testing," said Davidoff. "This is great news for IT management and will help to streamline the penetration testing process."
Henderson also noted that the new guidelines weren't only prescriptive in terms of compliance, but gives suggestions for enhanced security outside of compliance with a recommendation that organizations should incorporate social engineering techniques into penetration testing, including end-user education.
Henderson noted that this level of detail in the new guidelines would be helpful not only for testing purposes, but for budgetary issues as well.
"This more prescriptive description of pen testing should provide more evidence for a security manager to present to executives when addressing the security budget," said Henderson. "It won't necessarily affect those who are bound and determined to do as little as possible, but the majority of merchants I've spoken to care as much about security as compliance."
Learn more about PCI Special Interest Group advice regarding compliance .