The PCI DSS v3.2 Update and Penetration Testing: What You Need to Know
Designed and introduced by the PCI Security Standards Council, PCI DSS v3.2 is the latest update to the ever-evolving payment security standard, replacing PCI DSS v.3.1, which was retired on October 31, 2016.
However, there is still plenty of time to implement PCI DSS version 3.2 since the new requirements will be considered best practices until February 1, 2018 to allow sufficient time for organizations to get up to speed on matters like penetration testing.
Why Is There a New PCI DSS Update?
The Payment Card Industry Security Standards Council (PCI SSC or the Council) continually works to ensure a safe environment for consumers sharing payment data in the digital age before, during and after a purchase. Threats from hackers and other virtual intruders never wane. In fact, these cyber-criminals work just as hard to thwart the efforts of the Council at every turn, making it critical that the PCI SSC never stops working find new ways to protect consumer information.
The PCI Data Security Standard (PCI DSS) version 3.2 update was developed by the Council to respond to the growing threats to payment information. Identify Force reported that data breaches increased by 40 percent in 2016 with Yahoo being one of the hardest hit with the largest data breach in history, affecting more than one billion accounts.
Similar to each preceding update, the Council has worked to develop new ways to help prevent, detect and respond to cyber-attacks that can lead to costly breaches that can wear away consumer trust. The refinements in the PCI DSS v3.2 are also intended to help provide clarity and guidance to help companies maintain the Council’s standards as a course of everyday business practice.
What Is Penetration Testing and Does Your Organization Need It?
A penetration allows you, or your IT assurance consultants, you essentially simulate an actual hacking attack set to target vulnerabilities that may be present in lie servers and computer infrastructures. This type of simulation allows you to detect and analyze where the weakness or failure occurred so you can make the necessary adjustments and improvements for greater security.
Any organization that collects sensitive customer data needs to perform penetration testing to assess any risks to that data and find ways to avoid breaches, notes Forbes.
How Important Is Penetration Testing for Your Organization?
Given the increasing data breaches over the past decade, it clear that it is more important than ever to perform penetration testing, according to the PCI SSC’s updates, to detect any vulnerabilities in your computing system. With penetration testing, you are able to go beyond mere detection of potential risks and breaches; you can analyze the data you collect to help avert intrusions.
Penetration testing is also important to help you discover new bugs in existing software, to ensure that controls have been implemented and are working effectively, and to test applications that are often the route for an attack, suggests Help Net Security.
How Will the PCI DSS v3.2 Update Affect Your Penetration Testing?
The most important change that accompanies the PCI DSS v3.2 update, regarding penetration testing, is a matter of frequency. The PCI Compliance Guide shares that “Service providers will undergo additional scrutiny of their management processes, and penetration testing will be required on a more frequent basis.”
According to the PCI Data Security Standard Requirements and Security Assessment Procedures for Version 3.2, and specifically regarding Requirement 11.2, companies must perform internal and external scans—or ASV scans—quarterly, and rescans as needed, or after any significant change and only by qualified personnel.
What Is Requirement 11.3 in the PCI DSS v3.2 Update?
Requirement 11.3 in the PCI DSS v3.2 update addresses the testing activities for companies that work to protect a cardholder data environment (CDE). Most importantly, this series of requirements under 11.3 serves to offer a guideline for the frequency you may need to perform penetration testing:
- Requirement 11.3.1.
- Requirement 11.3.2.
- Requirement 11.3.3.
- Requirement 11.3.4.
- Requirement 18.104.22.168.
Companies are to conduct external penetration testing at least on an annual basis or after any significant change in the organization’s operating environment.
Companies are required to perform internal penetration testing at least annually or after any significant change in the organization’s operating environment.
Any exploitable vulnerabilities identified during penetration testing must be corrected, and testing must then be repeated to verify corrections.
Companies must perform network segmentation testing to validate if segmentation controls and methods are operating effectively.
Service providers must perform penetration testing on segmentation controls every six months. Previously performed at least annually, this PCI DSS v3.2 update is important because it allows each specific entity to demonstrate that their segmented environment was truly isolated during testing. It is important to validate the effectiveness of segmentation to make sure your PCI DSS scope stays current to stay on course with any changing business objectives.
Increased frequency in penetration testing helps you confirm that security controls are in place and working effectively to protect your customer data.
Learn More About the PCI DSS v3.2 Update and How It Affects Penetration Testing
At I.S. Partners, LLC., we are here to answer any questions you may have about this important PCI DSS update. If you need help determining how these changes may affect your company, or if you need a PCI DSS audit from professionals who care about your business, we can help.