PCI compliance stands for payment card industry compliance and is a set of standards concerned with security for businesses and merchants who deal with credit and debit card transactions, whether it concerns the storage, processing or transmission of card information. Any business or organization handling card transactions and with a merchant ID is required to comply with the PCI standard regardless of the size of the business of the number of transaction handled. PCI compliance is meant to ensure that customer card data is well-secured to protect them from fraud and data theft. A business will get a PCI certificate as proof of PCI compliance.
There are some requirements that a PCI compliant vendor or merchant must meet and they are:
• Provide card data security
• Ensure they have a secure network
• Implement and follow access control measures
• Have an information security policy and implement it
• Have a vulnerability management and control program
• Regular monitoring and testing of networks and other computing resources
Information security is like an arms race: black hat hackers find a way to compromise system security through various vulnerabilities and white hat hackers together with system security administrators and experts find ways of stopping the attacks. New technology and increasing complexity of computer systems mean that new vulnerabilities are being introduced and discovered on a daily basis, and businesses must make sure they are well-protected even if they are not the one using the new systems or non-secure products and services.. It is therefore important to continuously monitor an organization’s or business’ networks and computing resources so red flags can be spotted earlier and regularly and continuously tested to ensure security is not compromised in any way.
It is required to test networks against penetration, internally and externally, at least once annually and after any major change to the network or its constituent components. Penetration tests are supposed to be carried out both at the application and network layer of the OSI model. It is also required to carry out tests such as wireless scans at least quarterly.
In the network layer, testing is done against components composing the organization’s network such as mail servers, web servers, firewalls, routers etc. Testing is designed to uncover any configuration and vulnerability issues that can be used to compromise system and network security. Application layer testing targets applications and software packages such as installed software and web applications for configuration issues, vulnerabilities and software bugs, all of which can be used to compromise security.
When carrying out PCI compliance tests, it is important to have a penetration tester who has experience in penetration testing and has done it recently and to determine the scope of testing and the tools that will be required. The results and reports generated from the testing will be used by a Qualified Security Auditor (QSA) or Approved Scanning Vendor (ASV) to determine the secureness of the network and system under penetration testing. However, it is not required that the testing be done by a QSA or an ASV but it must be performed by a qualified internal or external tester who is independent from the organization when possible.
This may require the hiring of a white hat hacker. Automated vulnerability tests will typically be used by the penetration tester to determine which weaknesses exist in the network’s security. They then try to manually exploit the vulnerabilities detected to compromise system security.
PCI compliance testing is important not only to ensure an organization is and stays compliant but also in increasing information security.