Penetration Testing for PCI Compliance

August 14, 2014

In today's Whiteboard Wednesday, Chris Kirsch will talk about penetration testing for PCI compliance. If you are a company that accepts credit card payments, you have to comply with PCI. PCI compliance requires that you perform a penetration test at least once a year and after any significant infrastructure or application upgrade. Watch this video to learn more penetration testing for PCI compliance and download Metasploit Pro to get started!

Video Transcript

Hello and welcome to this week's Whiteboard Wednesday. My name is Chris Kirsch. I am the Product Marketing Manager for Metasploit here at Rapid7, and today I would like to talk about PCI and penetration testing.

Show more Show less

If you are accepting credit cards or debit cards, then chances are pretty high that you will need to comply with the PCIDSS. That's the Payment Card Industry Data Security Standard. As part of that compliance, there is a requirement, 11.3, that requires you to do a penetration test at least once a year and after major changes and modifications to your network.

So most companies actually hire an external consultant to do that penetration test for them, but a lot of them do that because they're not aware that they can actually take this work in-house and do it internally. You don't need to hire an ASV or a QSA to do this kind. You can do it internally, and even the external pen test it doesn't have to be an ASV or a QSA.

Maybe I need to explain some terms. An ASV is an external party that will do the vulnerability scan for your network that's approved by the PCI Council. A QSA is a Qualified Security Assessor. This is the guy or girl who will actually approve all of the things that you're doing to say you're passing the audit.

Now, if you're doing an external pen test that's the standard procedure, if you would like to save some money by taking that internally or if you have more than one pen test, because you have many changes to the system, so if you want to pen test before your actual audit and fix some stuff and then again for the audit to kind of like get more bang for your buck, then you should consider taking this internally.

How do you do this? Two criteria. First one is you need to have sufficient qualifications to actually do the penetration test. That means at least you need to be a security professional. It probably does help if you have a training in the penetration testing product that you are using. For example, Metasploit training would be a good way to prove that you have sufficient qualifications. Or you would need to have some kind of work experience in the field. Whether or not your qualifications are sufficient will be judged by the QSA as part of the audit.

Now, you can work with the QSA ahead of time to say, "Hey, we're planning to do this. Would this be okay?" That's probably a pretty good way to ensure that you're going to pass the audit.

Second criteria is no conflict of interest. That means no conflict of interest between the people who've built the network for PCI, the network that's in scope for PCI, and the penetration tester who's testing the system, because if you've built it and you're testing your own network, you kind of have a conflict of interest. So again, it helps if your organization is separate. Let's say, one guy who builds the network reports up to the CIO. Maybe the security guy reports up to the CFO or a Chief Risk Officer or something like that.

In smaller organizations, your QSA will probably give you a waiver if you don't have enough people to avoid that conflict of interest. You sometimes get a waiver in that situation, but check in with your QSA first.

Now if you would like to try this out, give it a go and see how easy it is to do penetration tests in-house, please have a go and download the Metasploit Pro Trial. It's a seven day trial, fully featured. You can get that at I would advise you install it. Have a look at the Quick Pen Test Wizard right when you're in the product. Carry out a simple pen test. Run the PCI report, which will give you all of the requirements that you're either complying with or out of compliance with so that you can get a good idea of where you are, and you should be all set.

All right. Thanks for listening today, and I'll see you next Wednesday.