Most industry-recognized security frameworks, including HITRUST, CIS Controls and PCI DSS, stipulate penetration testing requirements as part of an organization's risk management cycle. In addition, the Payment Card Industry Security Standards Council (PCI SSC) provides supplemental penetration testing guidance for organizations that are required to conduct a penetration test.
PCI SCC guidance focuses on the following four pillars:
- Qualifications of a pen tester – certifications and experience
- Four major pen testing components – application layer, network layer, segmentation checks and social engineering
- Penetration testing methodologies – pre-engagement, engagement, post-engagement
- Reporting – Comprehensive reporting and remediation
The goals of penetration testing are:
- To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
- To confirm that the appropriate controls required by PCI DSS—such as scope, vulnerability management, methodology, and segmentation—are in place.
Penetration Tester Qualifications
Certifications and Experience
A penetration test is only as effective as the specialists' skills and experience. Therefore, look for a certified team experienced working with organizations similar to yours. In addition, certifications such as Offensive Security Certified Professional (OSCP) and Certified Ethical Hacker (CEH) can indicate the skill level, competence and mastery of a standard body of knowledge.
Industry leaders are security professionals who have made and continue to make significant contributions in the cybersecurity space through industry organizations and the broader security profession. Any testing team can leverage industry tools, but it takes much more than that to perform tests well and achieve accurate, real-world results. So look for a team that goes beyond automated scripts and technical printouts by providing human intelligence, cunning and a practical explanation in business terms.
Questions to ask a prospective pen tester:
- How many years of experience does the penetration tester have?
- Has the pen tester performed assessments against organizations similar to yours?
- Does the tester have expertise with the technologies in your environment?
- Do they use industry-standard, frameworks-based methodologies?
Testing Methodologies
PCI SSC breaks pen testing methodology into three activity categories
- Pre-engagement – Planning Phase
Attack Surface Analysis, Test Scoping, Documentation, Rules of Engagement, Third-party Cloud Environments, Success Criteria - Engagement – Execution Phase
Application, Network, Segmentation, Social Engineering, Handling Accessed Cardholder Data - Post-engagement – Reporting Phase
Remediation, Re-testing, Clean up
Each environment is unique, requiring the tester to select the most appropriate approach and tools. Penetration testing is essentially a manual endeavor requiring human cunning. While automated tools aid the tester in performing repetitive tasks, expertise is necessary to identify attack vectors.
It takes a skilled penetration tester to interpret the results of any automated tool and translate the cryptic techie information to the business domain. Look for a vendor that takes a risk management approach using a structured industry-standard framework. A risk assessment identifies, evaluates, and prioritizes risks based on the probability and impact of incidents.
Risk management, especially cybersecurity and privacy, is a critical concern for shareholders and other stakeholders, including sales teams, investors, customers and staff. Your pen test partner should be there to help you design a customized, holistic approach to your short-term and long-term business requirements based on your exposure and risk appetite.
Reporting and Documentation
Unfortunately, sometimes organizations execute a pen test but fail to act on the results. Failing to act following a pen test engagement can be more dangerous than not having the pen test in the first place. If the pen tester can find the weaknesses in your defenses, be sure that real-world attackers know them as well.
Merely reporting lists of vulnerabilities is not helpful in this endeavor and does not meet the intent of the penetration test. Instead, the report should be structured to communicate what was tested, how it was tested, and what it means regarding potential business impacts.
Your pen test partner is not much help if they drop a technical report and leave. In addition to a business-oriented explanation, your tester should provide you with a mitigation plan and roadmap based on your budget and risk tolerance.
Get Started on PCI DSS Compliance with Truvantis
Let us deal with compliance so you can invest in your business. The Truvantis® team includes PCI DSS experts and Qualified Security Assessors with extensive experience as a trusted partner for compliance and validation. Outsource your payments, segment your networks, tokenize your data, and use P2PE/E2EE solutions – all are great ways to reduce your costs. But the devil is in the details – contact Truvantis to ensure you get it right.
Truvantis is a cybersecurity, compliance and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk appetite.
Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) company.