Today, we enjoy the convenience of shopping from the comfort of our homes. However, when making online payments, have you ever realized that there may be some hacker watching for your card details?
With the growing number of E-commerce users to an estimated 164 million worldwide, securing user's card data becomes utmost important for organizations providing online transaction facilities. We have a standard called 'PCI DSS' to take care of the security of user's card data.
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard (PCI DSS) refers to a set of security standards for companies that are involved in accepting, processing, storing or transmitting credit card information to ensure the maintenance of secure environment.
Managed by PCI SSC (Payment Card Industry Security Standards Council)
Latest standard version – 3.2.1(released in May, 2018)
Validation performed quarterly or annually by
Quality Security Assessor
Internal Security Assessor
Report on Compliance
Self Assessment Questionnaire
PCI DSS Compliance Requirements
PCI DSS specifies 6 groups (Control Objectives) for compliance requirements, listed below:
1
Network security
Installation of firewall
Security of system passwords
2
Cardholder data protection
Protect the stored data
Encryption of data transmissions
3
Vulnerability management
Use of an antivirus
Secure system and applications development
4
Access control
Unique Id assignment to each personnel
Restriction to physical access to CDE(Cardholder Data Environment)
5
Network monitoring
Monitor access to network resources
Regular testing of security systems and procedures
6
Information security through policies
Implementation of IT policies
Educate staff
Penetration Testing Approach
For PCI DSS compliance, both vulnerability scan and penetration testing are required. While vulnerability scan identifies vulnerabilities through automated procedures, penetration test exploits those vulnerabilities primarily through manual techniques.
Pre Penetration Testing Phase
Identify system components dealing with CDE(Cardholder Data Environment)
Detailed documentation including diagrams and process flows of the scoped components
Define rules of testing
Define depth of pen testing and success criteria
Penetration Testing Phase
Application layer - Access control check and unauthorized access to data
Network layer - Automated network scans and attempts to bypass authentication controls and authorization across the CDE(Cardholder Data Environment)
Social engineering - Convincing someone non-technically to open a door for attack
Post Penetration Testing Phase
Notification if the cardholder data is accessed
Execute incident response plan
Retest identified vulnerabilities
Build the best practices for handling found vulnerabilities
Clean the whole testing environment
Tool Evaluation - HackerGuardian
PCI SSC approved tool for businesses and any service providers dealing with card data to stay compliant with the PCI DSS. This is comparatively a low cost tool as compared to its competitors like Qualys PCI and CoalfireOne.
Features
Ability to scan the entire network of organization and scale globally
Organized process for acquiring and maintaining PCI DSS compliance
Centralized updates for policies across all applications
Highly useful report generation
Generates compliance status reports to be submitted to banks
Reports are downloaded manually from cloud
Scanning time is a bit longer as compared to its competitors
Have Suggestions?
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time. Share your thoughts and ideas at knowledgecenter@qasource.com
Disclaimer
This publication is for informational purposes only and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.
QASource Blog, for executives and managers, shares QA strategies, methodologies, and new ideas to inform and help effectively deliver quality products, websites and applications.
