While the overall methodology is not much different from network penetration testing, the cost of PCI penetration testing can be higher. Network penetration testing is the basis of the PCI penetration test. Both have external and internal penetration testing offerings. But differences in frequency and scope can change the cost structure of the two test types significantly.
This article will explore the cost differences between network penetration testing and PCI penetration testing in detail. The primary cost factors are outlined to help any organization required to conduct PCI penetration testing understand what will impact the budget. In addition, a few recommendations will be provided to assist along the way.
(IMPORTANT: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)
- Why PCI Penetration Testing Costs Are Different
- PCI Pen Test Cost Benchmarking
- How Much do Costs Vary from One Vendor to The Next?
- How Much do PCI DSS Pentest Costs Vary from One Industry to the Next?
- How Can PCI DSS Pen Test Costs Be Reduced?
- Costs of PCI DSS Pen Testing Vs Benefits
Why PCI Penetration Testing Costs Are Different
While both PCI and network penetration tests are similar, they are not the same. To begin, PCI requires one per year of both internal and external penetration testing. Conversely, there are no requirements, other than contractual, for network penetration testing for most organizations.
PCI penetration tests also have very specific requirements on what the test should include, for instance, web application testing for all pen testing (external or internal) and segmentation testing when conducting an internal penetration test.
App pen testing can be unauthenticated and is not a full web application penetration test when it comes to the penetration testing methodology. The goal is to understand how all systems, applications, and exposed assets can impact the overall security of the credit card data stored in the cardholder data environment (CDE).
Couple the nuanced difference between a network penetration test with a regulatory requirement, and it starts to get tricky in determining the price. An organization may be tempted to just contract for one penetration test a year against their full internal or external environment, but this may be a disservice to the organization.
This is because PCI explicitly states that anything medium or above must be remediated or have approved mitigation. When submitting a report that is for a full environment, all findings will be reviewed and not just the findings related to the CDE.
Add that the approved mitigation is not from the organization but from the PCI QSA or service provider, which will make it harder to have anything over medium removed from the report. For this reason, most organizations only scope the CDE for the PCI penetration test, which can complicate the pricing a bit, as this requires a defined CDE environment.
When it comes to the value provided by the service, PCI penetration testing can be more valuable than a network penetration test. Not only will it allow for certification against PCI DSS, which then allows the organization to accept cards, it also can assist with showing due diligence to avoid fines from the card brand holders, in the event there is a breach of credit card data.
Keep in mind that it will not, by default, eliminate liability, but it is a step in showing due diligence. For this reason, any organization handling, processing, or storing payment card information will be required to conduct a PCI penetration test.
PCI Pen Test Cost Benchmarking
Many of the factors involved in scoping a PCI penetration test are similar to a network penetration test. As previously covered, the two are very similar; however, this section will cover some of the scoping or pricing factors that are more unique to PCI penetration testing. To attain a full picture of all the factors, an organization should consider the pricing factors for network penetration testing.
As is the case with any penetration testing, costs can range quite widely when it comes to contracting. An organization can expect the average cost of a PCI penetration test to be between $10,000 to over $100,000 per test.
Cost Factor #1: Number of systems and applications in scope
As is the case with pricing network penetration testing, the total number of live systems in scope will affect the cost. The more in-scope systems or IP addresses the higher the price. PCI penetration testing adds a wrinkle to this scoping, as it is required to do testing against exposed applications (whether a web application or not) without credentials and not just against live IP addresses.
This often will increase the cost of the penetration test compared to just a network penetration test, as it is possible to have a one-to-many relationship with applications (more applications live than hosts). Every web application that is accessible, whether internal or external, must have some level of testing completed against it as part of the PCI penetration test.
Cost Factor #2: Internal VLAN
One of the bigger impacts on the overall effort to the PCI penetration test is related to the total number of VLANs that need to be tested. PCI requires that all VLAN segmentation be tested to provide evidence of the inability to access or move cardholder data from a secured segmentation to another lower-tier segmentation.
While this is a separate requirement from internal penetration testing, most organizations choose to do both segmentation testing and internal penetration testing together. In short, the more VLAN segmentations that are in scope for testing, the higher the cost. Keep in mind that this testing is required to take place every 6 months, which is typically paired with the internal penetration test.
Cost Factor #3: Bundled or Not
Many services are required by PCI. For instance, PCI requires quarterly vulnerability scanning by an approved scanning vendor (ASV), and, in many cases, these ASV providers also provide PCI penetration testing. So, there is an opportunity to bundle the service with other requirements from PCI to attain better pricing on the PCI penetration test.
While bundling other services with the PCI penetration test is one way to save, another is to purchase internal and external penetration testing, along with segmentation testing, under one contract from a single vendor. By purchasing all upfront in a single contract, it is possible to attain a better per test price for all the required testing.
Cost Factor #4: Vendor
While this article will delve deeper into the pricing variations between vendors, this is a critical factor in the total cost of a PCI penetration test. Some firms or vendors specialize in providing PCI penetration testing for a lower cost. These tests tend to be more focused on just providing a checkbox report with the bare minimum of effort possible. If an organization has a more robust and in-depth penetration testing partner, this could be a valid approach for PCI.
How Much do Costs Vary from One Vendor to The Next?
The vendor is a cost factor. It was briefly touched on how the depth and quality of the vendor can impact the cost. In some cases, the vendor selected can double the total cost of PCI penetration testing. Outside of selecting a check-box vendor vs. a highly skilled vendor, other factors can impact the cost of the service.
While there is no requirement to have testers on site for internal penetration testing, many organizations still prefer to have this be the case. Selecting a vendor that is closer to your headquarters can assist with lowering the cost, as it could eliminate hotel and airfare, both of which are getting more expensive. However, if the organization is comfortable with it, many vendors now offer prebuilt VMs that can be deployed in the environment to offer a platform to conduct penetration testing. This would eliminate the cost of travel completely.
With penetration testing being required by the PCI standard, many reputable pentest vendors can provide offshore resources to conduct the testing. Total effort (time) spent on the penetration testing will usually be the same, but the cost savings come from the consultants’ lower average cost to operate in those regions. Just like onsite testing, if an organization is comfortable with this strategy, there are possible savings.
How Much do PCI DSS Pentest Costs Vary from One Industry to the Next?
The industry the organization operates in should not have any impact on the cost of penetration testing. This is simply because there are no additional requirements based on industry. Organizations are viewed the same; the organization either handles cardholder data or does not.
The pricing factors are the same, the requirements are the same, and the testing methodology is the same. If a vendor is claiming it costs more due to the industry of the organization, it may be best to engage a different vendor.
How Can PCI DSS Pen Test Costs Be Reduced?
One of the easiest ways to reduce the overall testing cost of PCI penetration testing is to only test the CDE assets. This is a valid approach and is not looked at negatively by auditors. In fact, it is expected, due to the risk associated with having non-PCI systems in scope, as any finding related to those systems would be on the report and be required to be remediated or mitigated. Reducing the scope may be the simplest way to lower the testing cost but not the only one.
Without going into depth again, the vendor will have a large impact on the testing cost and is a way to reduce the penetration testing pricing. This does introduce risk, as previously stated, in that checking the box for PCI does not fulfill due diligence.
If something was to happen, and a low-budget PCI penetration testing vendor was selected, the organization will still be at fault. After all, the organization chose the vendor and paid the vendor to complete the test. The vendor will not guarantee that the organization is secure but selecting a higher quality vendor will be more likely to uncover exposure that could result in a breach.
Costs of PCI DSS Pen Testing Vs Benefits
Quite simply, if an organization is getting certified against PCI-DSS from level 4 to level 1, PCI penetration testing will have to be conducted. This is not an optional requirement; it is required and would result in a non-compliance finding, as part of the audit. The organization could be provided time to resolve this by conducting the penetration test, but, in some cases, it could result in a certification not being issued or revoked.
The ramifications of this are that any banks or processors may stop accepting or processing cards on behalf of the organization, which would be a loss of revenue. Beyond the loss of revenue, this would cause a customer service issue and the potential of a large impact on reputation.
Just like with any other penetration test, having a PCI pen test conducted will expose any configuration, vulnerabilities, or overly exposed systems that could open an organization up to a breach. Certainly, there could, or most likely will, be fines associated with a breach, if these issues are not found as part of a penetration test.
However, as previously stated, this is required to be certified. So, in general, there are not a lot of options for an organization when dealing with PCI-DSS, conduct the penetration test and resolve the vulnerabilities to protect payment processing and avoid fines.
(REMEMBER: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)