When was your last “pen test”?
If your business accepts credit card payments, there’s a strong chance you need to undergo a penetration test to be compliant with the PCI DSS. Unfortunately, the penetration test cost can be a sore spot for many business leaders.
Many ask, “Is the test really necessary?” and “How often must we do it?”
The primary driver behind these two questions is almost always the penetration test cost. Due to their manual nature, penetration tests are more time-intensive to conduct than other security tests such as vulnerability scans.
Penetration tests have always had a higher price tag, but their overall cost to you is about to increase in 2018.
Why is the penetration test cost going up?
In September 2017, the PCI Security Standards Council issued a comprehensive Penetration Test Guidance document to help organizations fully realize the test’s security benefits. Prior to this guidance, many pen tests were conducted under the assumption that validating network segmentation was the singular goal.
According to the new guidance, the penetration test should go well beyond segmentation validation to ensure that all devices within the cardholder data environment (CDE) are truly off-limits to data thieves. This means that along with testing your security barriers remotely, your penetration testing vendor may also need to conduct an on-site visit.
The Penetration Testing Guidance, Section 2.2.2 makes it very clear:
“In cases where there is an internal CDE perimeter, the scope of testing will need to consider the CDE perimeter as well as critical systems within and outside of the CDE.”
This is a departure from the previous guidance, which only required that the segmentation of the CDE from non-CDE be tested.
How can you limit your penetration testing spend?
Penetration testing isn’t an option. As a merchant, your business will be expected to undergo these tests at your expense. However, there are ways to curb your spending in this area.
Here are three tips for containing your penetration testing spend in 2018 and beyond:
- Limit the number of in-scope devices. The more devices you have within or connected to your CDE, the more complex the penetration test. Any device not processing or transmitting cardholder data should not be connected in any way to the CDE.
- Properly segment your network. Logging, active directory, etc. are all critical systems that support your in-scope devices. Properly segmenting your network before the penetration test allows the tester to quickly and easily validate your security controls in this step of the process.
- Establish a separate test environment. While not practical for all organizations due to the requisite up-front costs, establishing a test CDE that is identical to your live CDE can save your organization time—and therefore money—in the long run. Working in the testing environment avoids business disruption, especially in the case of high-availability systems that may be impacted by penetration testing in a production environment. Another benefit is the ability to test any fixes before you develop them on the production network.
Make penetration testing a priority for your business.
In today’s complex IT environments, penetration testing is a must for not only PCI compliance, but a strengthened overall security posture. Want to learn more about the value of pen testing for your business? Click here or give us a call at 800-825-3301, ext. 2. We’re happy to help.