Today, we enjoy the convenience of shopping from the comfort of our homes. However, when making online payments, have you ever realized that there may be some hacker watching for your card details?
With the growing number of E-commerce users to an estimated 164 million worldwide, securing user's card data becomes utmost important for organizations providing online transaction facilities. We have a standard called 'PCI DSS' to take care of the security of user's card data.
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard (PCI DSS) refers to a set of security standards for companies that are involved in accepting, processing, storing or transmitting credit card information to ensure the maintenance of secure environment.
- Managed by PCI SSC (Payment Card Industry Security Standards Council)
- Latest standard version – 3.2.1(released in May, 2018)
- Validation performed quarterly or annually by
- Quality Security Assessor
- Internal Security Assessor
- Report on Compliance
- Self Assessment Questionnaire
PCI DSS Compliance Requirements
PCI DSS specifies 6 groups (Control Objectives) for compliance requirements, listed below:
- Installation of firewall
- Security of system passwords
- Protect the stored data
- Encryption of data transmissions
- Use of an antivirus
- Secure system and applications development
- Unique Id assignment to each personnel
- Restriction to physical access to CDE(Cardholder Data Environment)
- Monitor access to network resources
- Regular testing of security systems and procedures
- Implementation of IT policies
- Educate staff
Penetration Testing Approach
For PCI DSS compliance, both vulnerability scan and penetration testing are required. While vulnerability scan identifies vulnerabilities through automated procedures, penetration test exploits those vulnerabilities primarily through manual techniques.
- Identify system components dealing with CDE(Cardholder Data Environment)
- Detailed documentation including diagrams and process flows of the scoped components
- Define rules of testing
- Define depth of pen testing and success criteria
- Application layer - Access control check and unauthorized access to data
- Network layer - Automated network scans and attempts to bypass authentication controls and authorization across the CDE(Cardholder Data Environment)
- Social engineering - Convincing someone non-technically to open a door for attack
- Notification if the cardholder data is accessed
- Execute incident response plan
- Retest identified vulnerabilities
- Build the best practices for handling found vulnerabilities
- Clean the whole testing environment
Tool Evaluation - HackerGuardian
PCI SSC approved tool for businesses and any service providers dealing with card data to stay compliant with the PCI DSS. This is comparatively a low cost tool as compared to its competitors like Qualys PCI and CoalfireOne.
- Ability to scan the entire network of organization and scale globally
- Organized process for acquiring and maintaining PCI DSS compliance
- Centralized updates for policies across all applications
- Highly useful report generation
- Generates compliance status reports to be submitted to banks
- Reports are downloaded manually from cloud
- Scanning time is a bit longer as compared to its competitors
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org
The logos used in this post are owned by the individual companies of each logo or trademark. The logo is not authorized by, sponsored by, or associated with the trademark owner, but QASource is using the logos only for reviewing purposes. The endorsement of the used logos by QASource is neither intended nor implied.