In order to protect credit card data, sometimes businesses have to think like a hacker.
Every year, merchants who transmit, process, or store payment card data must conduct a suite of security tests to comply with the Payment Card Industry Data Security Standards (or PCI DSS), now in Version 3.0. The “penetration test” is among the most important of these measures, using hackers’ own methods to determine a business’s susceptibility to attack.
So how does a penetration test work, and why is it so important for meeting PCI compliance guidelines?
How a penetration test works
You could say that a penetration test is a full-fledged attempt to compromise your network, just like one that might be carried out by would-be data thieves. The difference is that these exploit attempts are undertaken by your own security experts or a trusted third-party security partner, and the testing process is more controlled and limited to a specific time period.
In the course of the test, you might replicate hacking attempts by human experts as well as malware intrusions. The goal is to evaluate your systems’ ability to withstand the attacks. You can think of a penetration test as a fire drill with an actual (controlled) fire, helping you identify any points of weakness in your network before the bad guys do.
Today, PCI compliance guidelines require all merchants to have a penetration test conducted every year. You can conduct these tests with a third-party or by using software, but many businesses find that it is best to turn to a security partner who can deliver a truly objective view – and better simulate an outside attacker’s perspective, since they won’t have pre-existing insight on your system.
Equally important, an effective third-party partner will bring up-to-date expertise on the most current and common hacking strategies. Plus, a human security expert can provide an in-depth explanation of any points of vulnerability you might find, along with the best strategies for bolstering your defenses.
The importance of robust tests
While the DIY software approach to penetration test is still permitted under PCI, Version 3.0 includes updated language stating that these tests must be conducted according to “generally accepted methodologies.” Why the update? Previously, some organizations used less-than-reliable tools that they found online with limited knowledge of how to make the tools work properly, or they simply conducted a vulnerability scan rather than a true penetration test – but these didn’t actually fulfill the purpose of the penetration test requirement in PCI.
As a score of retailers have suffered major hacking attacks in recent years, it is increasingly urgent that merchants of all sizes ensure their security is in keeping with industry best practices. A key to this process is conducting a comprehensive penetration test, simulating any step an attacker might plausibly make, and basing the testing on an in-depth understanding of the data security landscape.
By taking your security efforts seriously and conducting a robust penetration test, your business can check the boxes of the PCI compliance guidelines and avoid the worst of the penalties associated with a data breach. More importantly, you’re taking the steps necessary to defend both your business and your customers’ data. As data security becomes a more and more prominent issue, taking these steps is a crucial means of demonstrating responsibility, building public trust, and keeping your business out of the headlines for the wrong reasons.