Connect with us

Hi, what are you looking for?


What You Should Know About PCI DSS Penetration Testing

PCI DSS defines a critical system is any system that is involved in the card payment process. Critical systems are used to transmit data, process card payments and store card data. Penetration testing should be done on all assets used to manage CDE from firewall to authentication of users who access the data.

Payment Card Industry Data Security Standard (PCI DSS) is a compliance that requires an organization that deals with card payments to ensure cardholder information is protected. The organizations that implement PCI DSS compliance are expected to carry out periodic tests. The tests are aimed to confirm that the compliance strategies are effective in protecting payment card information. Protecting cardholder’s information is critical to ensuring the financial security of clients. PCI DSS involves various elements and that is why it is important to conduct a penetration testing to truly understand the weaknesses in the organization.

What is Penetration Testing

Penetration testing is an active process that seeks to find the gaps in the system and exploit them. The point of finding gaps and exploiting the gaps is to prove whether or not the internal controls put in place work. Penetration testing has to be performed as a drill during hours that won’t interrupt business activities. The drill enacts real-scenarios of what can happen if a weakness is exploited. The test is done annually because it requires a lot of time to gather all the necessary information.

Difference Between Penetration Test and Vulnerability Scan

A vulnerability scan is done periodically. It seeks to identify the gaps in the compliance controls, report them and evaluate the seriousness of the risks they pose. The scans should be done after significant changes in the organization’s systems. Significant changes include upgrading systems or changing organization processes in relation to Card Data Environment (CDE). The scanning process is purely automatic.

A penetration test manually tries to exploit the identified vulnerability to see can happen in a real-life scenario. Penetration testing eliminates any false threats identified while exploring the extent of the risk involved in the real gaps. Manual testing is a key component of penetration testing of internal controls in place.

What is a Cardholder Data Environment?

All the information collected from card payment if referred to as Card Data. This data is sensitive and an organization is responsible for safely storing that data. A CDE involves all the people, process and technology that is used in handling payment card information. The test sets out to identify whether the card data has been compromised in any way.

Penetration Testing for CDE

The first step that an organization takes is identifying the CDE scope. The scope should be well defined before any testing activities are carried out.  Identifying the scope of CDE focuses the testing on potential threat areas. The organizations should check their payment processors to confirm they access public networks through protected IP addresses. The firewalls should be tested to find out their effectiveness and strength against hacking.

The test should evaluate the access networks, applications and the internal controls in place. This test checks if the CDE has been compromised from within the organization and the measures used to prevent contamination. Segmented information networks should be tested to check for cross-contamination. Contamination compromises the security of CDE and should be handled immediately. Testing the external CDE information is in line with confirming that the controls put in place do work.

Testing a Critical System

PCI DSS defines a critical system is any system that is involved in the card payment process. Critical systems are used to transmit data, process card payments and store card data. Penetration testing should be done on all assets used to manage CDE from firewall to authentication of users who access the data.

Critical systems can be tested on two levels namely the application layer and the network layer. Organization focuses on network systems which have made it easy to hack applications. Application systems are software’s that cardholders use to enter their card information for online payments. The applications include open sources, mobile applications, web applications and internally developed software. Penetration testing tries to exploit the weakest areas of this software.

Network layer penetration testing checks for weaknesses in the devices within the organization. They include firewalls, routers, switches, and servers. The risks may arise from poorly configured devices and poor passwords. PCI DSS compliance requires testing on employee access authentication, cardholder customer’s controls, workforce user controls and the operating systems. Penetration testing can be done on internal systems to check internal controls on implementation and maintenance of the system.

How can Automated Compliance Help Ease the Burden of PCI DSS Penetration Testing?

PCI DSS penetration testing can be a thorough process. When a couple with other internal controls, meeting PCI DSS requirements may be overwhelming for organizations. ZenGRC is an automation compliance platform that constantly monitors whether the organization has met its compliance requirements. ZenGRC automated system offers a PCI DSS dashboard for easy navigation to review generated reports. This platform can store penetration testing reports for future references.

Written By

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like


Penetration testing means hiring security experts to carry out simulated attacks on a network or computer system, exposing security weaknesses that a genuine attacker...


Now these days, network security has become an indispensable task for every business and organization due to ever-changing threats and updated industry compliance. If...