PCI Network and Application Layer Penetration Testing
Take a hacker perspective to protect payment card data.
A PCI Network and Application Layer Penetration Test simulates a real-world attack against your network infrastructure and information systems in order to see how far an attacker would actually be able to progress within your cardholder data environment (CDE).
It’s imperative to conduct a penetration test regularly if your environment is processing and storing payment card data, and those same systems have access to the Internet. Implementing a methodology for penetration testing is included in the PCI Data Security Standard as Requirement 11.3.
Unlike a vulnerability assessment or automated vulnerability scan, security engineers performing penetration testing actively try to uncover vulnerabilities and then exploit them in order to breach your systems or obtain access to sensitive data. This manual, hands-on approach allows the tester to intelligently probe and launch attacks from a variety of vectors and under a variety of conditions within the environment. As a result, your organization can gain full visibility and understanding of how malicious entities may be attacking your systems and to what extent they are at risk.
Understand your testing scope, and go from there.
The engagement starts with an agreement between you and ControlScan on the scope of testing to be conducted. Under PCI, the scope would include coverage for the entire card data environment (CDE) perimeter as well as critical systems. Depending on your needs, the engagement will include the following testing regimens:
- External Penetration Testing, which adopts the approach of an anonymous attacker somewhere out on the Internet looking to breach your perimeter defenses and gain access to your environment
- Internal Penetration Testing, which shows you the risks posed to your information systems by an insider (e.g., an employee or contractor) or an attacker that has already breached your perimeter
- Validation of any segmentation and scope-reduction controls within the environment
These types of testing provide insight into your organization's risk exposure, but from different perspectives.
During the engagement, our security testers perform reconnaissance of in-scope systems to identify services and functions which may be vulnerable, followed by a discovery of vulnerabilities affecting in-scope targets and then finally attempt to exploit those vulnerabilities in order to compromise the exposed systems. All of this is done with your knowledge and permission.
Upon completion, a formal report is prepared detailing the findings uncovered by the testing process. The tester that conducted the exercise walks you through the report in detail, ensuring you understand the weak points and gaps discovered and have a strategy for strengthening them. Most clients remediate the findings and then engage ControlScan to retest and verify the target environment is secure.
Test at least annually.*
The PCI DSS specifies that external and internal penetration testing should each be performed at least annually* and after any significant infrastructure or application upgrade or modification within the target environment. Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your card data environment (CDE) from other networks. Large breaches recently reported in the media have typically originated with a simple incursion into an insecure area of the victim's network with a subsequent lateral move directly into the CDE.
Protect your business—and your customers' payment data—by getting started on a PCI Network and Application Layer Penetration Test.