The PCI Security Standards Council (PCI SSC)— an open global forum, responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security — has just published Penetration Testing Guidance. Its purpose is to help organizations establish a strong line of attack for regularly testing security controls and processes to protect the cardholder data environment — reported to be a top security challenge area, according to Verizon’s 2015 report on PCI compliance.
According to Verizon’s report, testing security systems is the only area within the PCI DSS where compliance fell over the past year — which would indicate that merchants are not aware of the critical nature of penetration testing. Too often networks considered out of scope become vulnerable and are compromised due to poor segmentation methods. Merchants can and should protect their payment environment by implementing and following best practices for penetration testing to identify and exploit vulnerabilities. It can determine whether unauthorized access to their systems or other malicious activity is possible. It is also a vital tool for verifying that segmentation is appropriately in place to isolate the cardholder data environment from other networks and to reduce PCI DSS scope.
The assistance provided in the Penetration Testing Guidance publication is supplemental to PCI guidance published in 2008. It includes three case studies which illustrate the various concepts presented within the document, as well as a quick-reference guide to assist in navigating the penetration testing requirements.
“Penetration testing is a critical component of the PCI DSS,” said PCI SSC Chief Technology Officer Troy Leach in a press release from the PCI SSC, “It shines a light on weak points within an organization’s payment security environment which, if unchecked, could leave payment card data vulnerable.”
Another important part of the PCI compliance process is the completion of the Self-Assessment Questionnaire (SAQ), an annual validation exercise that assists merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their PCI DSS compliance. TransFirst simplifies the process with SmartSAQ — an interactive cloud-based application that simplifies completion of the Self-Assessment Questionnaire (SAQ).
SmartSAQ guides merchants through a specifically-tailored set of questions that are relevant to their processing environment, which are accompanied by easy-to-understand help-text and pictures that clearly illustrate and explain key concepts. It’s a helpful PCI compliance tool to improve the merchant experience. Benefits include a faster and more accurate completion and validation process that can help save time and lessen frustration.
To learn more about how to achieve PCI Compliance, we invite you to download our informative eguide on the subject, one of many helpful resources you can find in the TransFirst.com Learning Center.