Wednesday, September 20, 2023

PCI DSS Vulnerability Scanning and Penetration Testing Hygiene

Image: Dalle3
The Payment Card Industry Data Security Standard (PCI DSS) is an essential benchmark for businesses that store, process, or transmit cardholder data. The introduction of PCI DSS v4.0 brings several clarifications and new layers of complexity. Today, we’ll take a look at internal and external vulnerability scans and penetration testing. 

Vulnerability Scans (11.3.1.3 and 11.3.2.1)

One of the critical security controls that PCI DSS v4.0 emphasizes is the need for internal vulnerability scans. Companies must perform these scans after any 'significant change,' as defined by the standard. Significant changes include things like adding new hardware, software, or making considerable upgrades to existing infrastructure.

The scans aim to detect and resolve high-risk and critical vulnerabilities based on the entity’s vulnerability risk rankings. Following the scan, any detected vulnerabilities must be resolved, and rescans should be conducted as needed.

External vulnerability scans are equally important and follow the same triggering mechanism—significant changes in the environment. Here, the focus is on resolving vulnerabilities scored 4.0 or higher by the Common Vulnerability Scoring System (CVSS). As with internal scans, rescans are required as necessary to confirm that vulnerabilities have been adequately addressed.

Penetration Testing (11.4.2, 11.4.3)

Internal penetration testing is a more aggressive form of evaluation and should be conducted at least once every 12 months or after any significant change to the infrastructure or application. The testing can be carried out either by a qualified internal resource or a qualified external third-party, provided that there is organizational independence between the tester and the entity being tested. Notably, the tester doesn't need to be a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV).

Much like its internal counterpart, external penetration testing is required annually or after any significant alterations to the system. The testing must also be conducted by qualified resources and should follow the entity’s defined methodology for testing.

What Constitutes a 'Significant Change'?

PCI DSS v4.0 is pretty broad in what it considers to be 'significant changes,' effectively encompassing any new hardware, software, or networking equipment added to the Cardholder Data Environment (CDE), as well as any replacement or major upgrades to existing hardware and software in the CDE. The list is exhaustive and is aimed at ensuring that any changes, no matter how seemingly minor, are given adequate attention from a security perspective.

Summary of Requirements

The PCI DSS v4.0 requirements for vulnerability scans and penetration testing provide a structured approach for entities to keep their data environments secure. While these requirements might seem stringent, they offer a well-defined framework for securing cardholder data against the backdrop of ever-advancing cyber threats. Adhering to these requirements is not just about ticking compliance boxes; it’s about taking the necessary steps to protect your organization and its stakeholders.

  • Internal vulnerability scans:
    • 11.3.1.3 Internal vulnerability scans are performed after any significant change as follows:
      • High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
      • Rescans are conducted as needed (significant changes..).
  • External vulnerability scans:
    • 11.3.2.1 External vulnerability scans are performed after any significant change as follows:
      • Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
      • Rescans are conducted as needed (significant changes..).
  • Internal penetration testing:
    • 11.4.2 Internal penetration testing is performed:
      • Per the entity’s defined methodology, at least once every 12 months
      • After any significant infrastructure or application upgrade or change
      • By a qualified internal resource or qualified external third-party
      • Organizational independence of the tester exists (not required to be a QSA or ASV).
  • External penetration testing:
    • 11.4.3 External penetration testing is performed:
      • Per the entity’s defined methodology, at least once every 12 months
      • After any significant infrastructure or application upgrade or change
      • By a qualified internal resource or qualified external third party
      • Organizational independence of the tester exists (not required to be a QSA or ASV).
  • Significant changes are defined in PCI DSS to include (PCI-DSS-v4_0.pdf page 26):
    • New hardware, software, or networking equipment added to the CDE.
    • Any replacement or major upgrades of hardware and software in the CDE.
    • Any changes in the flow or storage of account data.
    • Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.
    • Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).
    • Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.


Posted by at
Labels: , , , , , ,