Any organization processing, storing, or transmitting cardholder data (CHD) must attain certification or submit a self-attestation of compliance, according to PCI-DSS standards. PCI-DSS v3-2-1 has been published and in effect since 2018, with the most recent (4-0) being released in March of 2022, both of which are available in PCI-DSS Document Library. As part of this standard, PCI-DSS v3-2-1 requires that an organization perform internal and external penetration testing by an independent and qualified penetration tester.
This article will discuss some of the key requirements that need to be considered when engaging or implementing a penetration testing regime for PCI compliance, and how these requirements may differ from non-PCI penetration testing.
(NOTE: If you’re considering a pentest for PCI compliance, the free tool below matches your organization with top-rated providers that suit your budget and requirements)
- Find the Right Pentest Provider Fast
- What Kind of Pen Testing is Needed for PCI DSS Compliance?
- PCI Pen Testing Standards & Methodology
- Qualifications to Perform Penetration Testing
- PCI Penetration Testing Frequency
- The PCI Penetration Test Process
- How Long Will a PCI Penetration Test Take?
- Risks of Non-Compliance on Pen Testing
- How Much Does PCI Penetration Testing Cost?
- PCI Pen Test Cost Benchmarking
- Cost Factor #1: Number of systems and applications in scope
- Cost Factor #2: Internal VLAN
- Cost Factor #3: Bundled or Not
- Cost Factor #4: Vendor
- How Much do Costs Vary from One Vendor to The Next?
- How Much do PCI DSS Pentest Costs Vary from One Industry to the Next?
- How Can PCI DSS Pen Test Costs Be Reduced?
- How do PCI Pen Tests Vary By Provider?
- How Often Do The Rules Change?
- Balancing Compliance With Costs
What Kind of Pen Testing is Needed for PCI DSS Compliance?
First, to understand what is being asked for, penetration testing needs to be defined. Penetration testing, according to PCI-DSS, is considered a separate activity from vulnerability scanning or assessments, which are also a requirement.
Vulnerability scanning or assessment is the act of identifying, ranking, and reporting on vulnerabilities. Penetration testing adds the act of exploitation to circumvent or defeat security controls.
The definition further delineates the difference between a vulnerability assessment and a pen test in how the testing is being conducted. A vulnerability assessment is highly automated and may combine multiple tools with manual verification. Penetration testing is a manual process of exploitation, that includes or may include, automated tools to identify vulnerabilities.
With the definition of vulnerability assessment and penetration defined, further review of how PCI-DSS penetration testing differs from other penetration testing, the frequency, and further analysis of how results can impact compliance will be discussed.
PCI Pen Testing Standards & Methodology
PCI-DSS 3-2-1, requirement 11.3 stipulates that an organization must implement a methodology or capability of testing that is based on NIST SP800-115. Further, it is required that testing include the full cardholder data environment (CDE), critical systems, and supporting systems for that environment. PCI requires penetration testing of both the external network and internal network. The internal network test must also include segmentation validation testing (testing of VLANs or segmentation that is deployed at the network layer to limit scope).
In short, any environment that may be interacting or storing CHD must have internal and external testing conducted against it to validate that the CHD is not exposed and that the environment has appropriate controls in place and operational.
This testing must also incorporate network-layer testing and application layer testing as part of the scope. PCI-DSS further defines that app pen testing must include tests against the OWASP Top 10 for any application or service that is residing within the CDE.
Now that PCI pen testing is defined and scope is considered, how does it differ from a normal penetration test?
Depending on the consultancy, the methodology may not differ much at all. Most consultancies will perform network penetration testing with any applications at least partly in scope.
However, the biggest differences will be in the network segmentation testing, and the depth of documentation. This is not a typical approach for an internal penetration test and will need to be asked for specifically.
It is always recommended that the contracted consultancy is informed that the test will be used for PCI-DSS.
Qualifications to Perform Penetration Testing
When it comes to who can perform penetration testing for an organization, it comes down to impartiality and qualifications. PCI-DSS does not require a third party to conduct the testing and has guidance on when a third party may not conduct the testing for an organization.
For both internal and external testing, a tester must not have material daily duties in the management or building of the systems related to the CDE. The tester needs to be free from conflict of interest and have the ability to perform an impartial test against the environment.
As for qualification, there are two ways to show that a tester is qualified. The first is through certifications like the Offensive Security Certified Professional (OSCP) or Certified Ethical Hacker (CEH). These two are only examples, and other certifications can be attained to show technical capabilities to perform testing.
The other way a tester can show technical skill is through experience. This will require more evidence gathering by the auditor, and an organization may need to be prepared to provide this. This will include evidence or information on previous engagements, details on previous work experience, references, and types of testing performed with information on the scope. In most cases, a consultancy experienced with PCI will assist with providing this information, if requested, as part of the engagement.
PCI Penetration Testing Frequency
Regardless of the compliance level, from 4 to level 1, the frequency for penetration testing is defined by requirements 11.3.1 and 11.3.2 of the PCI-DSS document. External penetration testing must be conducted at least annually and after any significant changes in infrastructure or applications. Refer to the PCI-DSS Penetration Testing Guidance for detailed information on what are considered significant changes requiring a penetration test. An example of an event that would require an external penetration test would be a new application that has been deployed that resides in and supports the CDE environment.
For internal penetration testing, requirement 11.3.2 states it must take place annually with segmentation testing occurring every 6 months. Just like with external penetration testing, any significant changes would require additional testing to validate that the environment is secure, and the controls are operational. For this requirement, most organizations choose to do an internal penetration test every 6 months and do both segmentation testing and internal penetration testing at the same time.
If an organization were to have any findings that were above a medium risk, remediation would need to take place. This would then require additional testing to validate that the findings are remediated properly.
The PCI Penetration Test Process
When it comes to PCI penetration testing, the certification council and auditor will be looking for key steps during the process and key information to be provided, as an outcome of the test.
Scoping: Prior to an engagement, it is recommended that detailed information on the CDE be gathered to assist with proper scoping. This would include information on the number of hosts, the number of segments in scope, and a network diagram. This information will need to be provided to the consultancy during scoping not only to price, but to ensure the organization does not have any compliance issues when submitting the report. When gathering information for the scoping, review all in-scope systems and networks to identify any missing components, as the test needs to be against all access points, critical systems, and segmentations for the CDE.
Define Rules of Engagement: Once documentation is gathered and the scope of the effort is determined by the consultancy, rules of engagement can be defined. This will be documented as part of the test and as part of the evidence to be submitted with the test to the organization’s auditor. This would include information about testing windows, any systems that should be excluded from automated scanning, controls that would prevent or hinder testing, communication channels, and any other concerns or issues that could arise that the tester should be aware of.
Define Success Criteria: The next step would be defining the success criteria for the penetration test. An organization may immediately think that success would be no major finding, but that is not the only success criteria. Keep in mind that the end goal that PCI has for this engagement is to simulate malicious actors attempting to compromise or pivot within the organization’s network.
Properly defined success criteria will assist with determining techniques and depth of testing to be conducted, as part of the engagement. In some cases, an organization may want to see a system accessed through an exploit to assist with validating the impact and attaining appropriate logs to be able to detect in the future. Careful thought and conversation should be had in this step.
Review Past Issues & Test Results: The next step that is recommended is the review of past issues or test results. This is not overly common within other penetration testing engagements. Many times, these engagements are more point in time. PCI recommends this to allow for validation of remediation but, also, to provide additional information on previous issues.
This provides some information on what vulnerabilities or issues could be in the environment. Additional details that should be reviewed during this step are controls deployed, which could include how these controls are deployed. Again, keep in mind that PCI-DSS wants to validate that the controls are operating correctly as part of the penetration test, so detailed information will assist with this validation.
As evidence, there are a few more steps that are recommended to be followed for PCI penetration testing that are not typically followed for other penetration testing engagements. Everything discussed to this point has been pre-engagement activity. It may seem that there will be a great deal of time upfront, but the reality is that the above steps should be a small portion of the engagement.
Test >> Post-Test >> Reporting >> Remediation: Just like any other penetration test, the bulk of the time will be spent in the testing phase. Once this is complete, post-testing activities can take place. This should involve reporting, which will include best practices and recommendations. Additionally, after reporting is complete, a review meeting should take place to discuss any findings and details on how the vulnerabilities were found or exploited. At this time, if it is included in the contract, retesting can be scheduled for any findings that will need to be remediated.
How Long Will a PCI Penetration Test Take?
When engaging in a PCI penetration test, like any other penetration service, the overall time required to complete the test is dependent on the scope (number of systems, segments, and complexity) and the consulting company.
For a low complexity environment, it could be completed in as little as a week. However, it is not uncommon for a highly complex organization to have a penetration test that takes over a month to complete, especially when it comes to internal penetration testing with segmentation validation included.
As more systems and segments are in scope and need to be tested, the overall time to complete will go up. One final factor that will impact the effort, unlike network penetration testing, is the number of applications and APIs in scope. While the testing against these systems may not be a full application penetration test, the consulting company will still need to show that the OWASP Top 10 was tested against the applications.
The testing only needs to be against the exposed application and will not require credentials, but this does increase the overall effort to complete the test.
Risks of Non-Compliance on Pen Testing
What can happen when not in compliance with PCI penetration testing requirements? There are multiple ways that an organization can be out of compliance.
The first, and most common, is that a risk rating of medium or above is documented as part of the remediation test. In this case, there are two options for an organization to stay in compliance, 1. Remediate or 2. Document a mitigating control. In both cases, retesting will need to take place to validate remediation or that the mitigation has lowered the overall risk of the finding to an acceptable level. An organization should be aware that most mitigation is temporary and will need remediation eventually.
If an organization were to have findings on their penetration testing report and not remediate or have time to remediate before certification, one of two things will happen. Either the certification will be postponed, essentially left open past the expiration of the existing certification, to provide time for remediation, or the certification will not be issued. Most of the time, it is the first case, as there are severe impacts to an organization if the certification is not reissued.
One other way that an organization can be out of compliance is by not conducting the required testing. A yearly penetration test, whether internal or external, could be conducted last minute to meet this requirement, but if proper planning and action did not take place to do segmentation testing every 6 months, an organization likely will have its certification revoked. Once certification is revoked, that organization is not able to process or handle any more credit cards until such time as they become certified.
The absolute worst case for an organization is to be levied with a fine for not meeting the PCI DSS requirements. Depending on the factors of non-compliance and how the payment brands interpret the indiscretion, fines can be from $5,000 to $100,000 per month for the violation until PCI certification is attained. This could also lead to the bank or partner terminating the relationship with the organization and forcing all payments to cease.
How Much Does PCI Penetration Testing Cost?
PCI penetration tests also have very specific requirements for what the test should include. For instance, web application testing for all pen testing (external or internal) and segmentation testing when conducting an internal penetration test.
App pen testing can be unauthenticated and is not a full web application penetration test when it comes to the penetration testing methodology. The goal is to understand how all systems, applications, and exposed assets can impact the overall security of the credit card data stored in the cardholder data environment (CDE).
Couple the nuanced difference between a network penetration test with a regulatory requirement, and it starts to get tricky to determine the price. An organization may be tempted to just contract for one penetration test a year against their full internal or external environment, but this may be a disservice to the organization.
This is because PCI explicitly states that anything medium or above must be remediated or have approved mitigation. When submitting a report that is for a full environment, all findings will be reviewed and not just the findings related to the CDE.
Add that the approved mitigation is not from the organization but from the PCI QSA or PCI service provider, which will make it harder to have anything over medium removed from the report. For this reason, most organizations only scope the CDE for the PCI penetration test, which can complicate the pricing a bit, as this requires a defined CDE environment.
When it comes to the value provided by the service, PCI penetration testing can be more valuable than a network penetration test. Not only will it allow for certification against PCI DSS, which then allows the organization to accept cards, it also can assist with showing due diligence to avoid fines from the card brand holders, in the event there is a breach of credit card data.
Keep in mind that it will not, by default, eliminate liability, but it is a step in showing due diligence. For this reason, any organization handling, processing, or storing payment card information will be required to conduct a PCI penetration test.
PCI Pen Test Cost Benchmarking
Many of the factors involved in scoping a PCI penetration test are similar to a network penetration test. As previously covered, the two are very similar; however, this section will cover some of the scoping or pricing factors that are more unique to PCI penetration testing. To attain a full picture of all the factors, an organization should consider the pricing factors for network penetration testing.
As is the case with any penetration testing, costs can range quite widely when it comes to contracting. An organization can expect the average cost of a PCI penetration test to be between $10,000 to over $100,000 per test.
Cost Factor #1: Number of systems and applications in scope
As is the case with pricing network penetration testing, the total number of live systems in scope will affect the cost. The more in-scope systems or IP addresses the higher the price. PCI penetration testing adds a wrinkle to this scoping, as it is required to do testing against exposed applications (whether a web application or not) without credentials and not just against live IP addresses.
This often will increase the cost of the penetration test compared to just a network penetration test, as it is possible to have a one-to-many relationship with applications (more applications live than hosts). Every web application that is accessible, whether internal or external, must have some level of testing completed against it as part of the PCI penetration test.
Cost Factor #2: Internal VLAN
One of the bigger impacts on the overall effort to the PCI penetration test is related to the total number of VLANs that need to be tested. PCI requires that all VLAN segmentation be tested to provide evidence of the inability to access or move cardholder data from a secured segmentation to another lower-tier segmentation.
While this is a separate requirement from internal penetration testing, most organizations choose to do both segmentation testing and internal penetration testing together. In short, the more VLAN segmentations that are in scope for testing, the higher the cost. Keep in mind that this testing is required to take place every 6 months, which is typically paired with the internal penetration test.
Cost Factor #3: Bundled or Not
Many services are required by PCI. For instance, PCI requires quarterly vulnerability scanning by an approved scanning vendor (ASV), and, in many cases, these top ASV providers also provide PCI penetration testing. So, there is an opportunity to bundle the service with other requirements from PCI to attain better pricing on the PCI penetration test.
While bundling other services with the PCI penetration test is one way to save, another is to purchase internal and external penetration testing, along with segmentation testing, under one contract from a single vendor. By purchasing all upfront in a single contract, it is possible to attain a better per test price for all the required testing.
Cost Factor #4: Vendor
While this article will delve deeper into the pricing variations between vendors, this is a critical factor in the total cost of a PCI penetration test. Some firms or vendors specialize in providing PCI penetration testing for a lower cost. These tests tend to be more focused on just providing a checkbox report with the bare minimum of effort possible. If an organization has a more robust and in-depth penetration testing partner, this could be a valid approach for PCI.
How Much do Costs Vary from One Vendor to The Next?
The vendor is a cost factor. It was briefly touched on how the depth and quality of the vendor can impact the cost. In some cases, the vendor selected can double the total cost of PCI penetration testing. Outside of selecting a check-box vendor vs. a highly skilled vendor, other factors can impact the cost of the service.
While there is no requirement to have testers on site for internal penetration testing, many organizations still prefer to have this be the case. Selecting a vendor that is closer to your headquarters can assist with lowering the cost, as it could eliminate hotel and airfare, both of which are getting more expensive. However, if the organization is comfortable with it, many vendors now offer prebuilt VMs that can be deployed in the environment to offer a platform to conduct penetration testing. This would eliminate the cost of travel completely.
With penetration testing being required by the PCI standard, many reputable pentest vendors can provide offshore resources to conduct the testing. Total effort (time) spent on the penetration testing will usually be the same, but the cost savings come from the consultants’ lower average cost to operate in those regions. Just like onsite testing, if an organization is comfortable with this strategy, there are possible savings.
How Much do PCI DSS Pentest Costs Vary from One Industry to the Next?
The industry the organization operates in should not have any impact on the cost of penetration testing. This is simply because there are no additional requirements based on industry. Organizations are viewed the same; the organization either handles cardholder data or does not.
The pricing factors are the same, the requirements are the same, and the testing methodology is the same. If a vendor is claiming it costs more due to the industry of the organization, it may be best to engage a different vendor.
How Can PCI DSS Pen Test Costs Be Reduced?
One of the easiest ways to reduce the overall testing cost of PCI penetration testing is to only test the CDE assets. This is a valid approach and is not looked at negatively by auditors. In fact, it is expected, due to the risk associated with having non-PCI systems in scope, as any finding related to those systems would be on the report and be required to be remediated or mitigated. Reducing the scope may be the simplest way to lower the testing cost but not the only one.
Without going into depth again, the vendor will have a large impact on the testing cost and is a way to reduce the penetration testing pricing. This does introduce risk, as previously stated, in that checking the box for PCI does not fulfill due diligence.
If something was to happen, and a low-budget PCI penetration testing vendor was selected, the organization will still be at fault. After all, the organization chose the vendor and paid the vendor to complete the test. The vendor will not guarantee that the organization is secure but selecting a higher quality vendor will be more likely to uncover exposure that could result in a breach.
How do PCI Pen Tests Vary By Provider?
There are a wide range of testing providers to choose from to meet this requirement.
Some firms specialize in PCI penetration testing and do not provide much else beyond this. Usually, these companies are offering other services around PCI and will be less expensive than a full penetration testing consultancy.
In these cases, these pentest vendors will take a more automated approach, with limited manual testing, as the focus is on doing the bare minimum to meet the requirement. This may involve more automated testing or junior testers doing the testing, with senior testers validating and writing the report to show expertise in penetration testing.
This will be quite noticeable if a full penetration testing consultancy is engaged. The two big differences, in this case, will be the total cost and time to complete the engagement.
How Often Do The Rules Change?
Many in the industry can be frustrated by the lack of changes in PCI. For the first time since 2018, PCI released an update in March of 2022 to the PCI requirements. Before that, PCI updated the requirements every 3 to 4 years.
While the requirements for certification have been updated in the past and were just updated, this requirement does not change much. This is due to it being an accepted best practice across the security industry to perform penetration testing.
It can be expected that additional testing requirements may come out to account for new technologies like cloud, containers, and SaaS solutions. But it can be expected that the core requirements for penetration testing will not alert much from one version to the next.
Balancing Compliance With Costs
When evaluating what level of penetration testing services to engage, whether it is commodity PCI penetration testing or full red team engagement, an organization should keep in mind that it is a balancing act.
Being compliant with PCI does not mean an organization is secure, and it also does not mean it is free of fault or that due diligence has been met.
While the organization is certified, if a breach of cardholder data were to happen, and it was deemed that the organization did not do their due diligence under the standard, additional fines could be levied against the organization and the certification auditing company. This will most likely come in form of fines from the payment brand of $5,000 to $100,000 per month, until in compliance again, but also in additional fines from processors or banks of between $50 and $90 per credit card.
When evaluating the cost of a cheap PCI penetration test, remember that just checking the box does not mean due diligence has been completed and may be viewed as insufficient in a court of law, or by card brand auditors.
Disclaimer: This article is not intended as legal or technical guidance on penetration testing for PCI-DSS. Further information on recommendations, definitions, and requirements should be pulled from the standard or the PCI-DSS Penetration Testing Guidance. This guidance document will provide detailed information on testing requirements, and scope, and provide additional definition examples and details beyond this article.