A penetration test could be described as a simulated but realistic cyber attack action that aims to determine how deep an attacker would be able to penetrate into a well-defined target environment. The main benefit of such an effort would be to allow the assessed entity, which owns the environment, to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. In a PCI DSS environment, the added scope is to confirm, by technical testing, that all the 12 requirements are correctly fulfilled.
In order to practically fulfill such intent, a team of skilled “cyber-thieves” – commonly known as “ethical hackers” – get involved. Their job basically consists of trying to break into your protected environment through exactly the same techniques that a real and well-motivated attacker would employ to achieve a certain malicious goal in real life.
What would however such goal be in practice? Well, it depends on the target environment at the base of the considered engagement. Above all, it depends on the nature of the data that the environment is supposed to protect. The more value data has to someone, the more likely it is that someone would consider seizing such data.
Therefore, environment and data retained therein are the key elements that define the features and the overall area covered by any penetration testing exercise. In a nutshell, they define its “scope”.
Now, when it comes down to PCI DSS, the scope of penetration testing is the Cardholder Data Environment (CDE) and all systems and networks connected to it. The PCI Security Standards Council defines the CDE as “The people, processes and technology that store, process or transmit card- holder data or sensitive authentication data, including any connected system components”. From a technical standpoint, the primary goal of an attacker would be to break into the CDE and seize cardholder data. Testing should then include every location of cardholder data, key applications that store, process, or transmit cardholder data, key network connections, key access points, and other targets appropriate for the complexity and size of the organization. In light of the above, cardholder data is the true “holy grail” for any penetration test in the realm of PCI DSS, where gaining access to any key systems in CDE would be a secondary, but still important, aim.
It is therefore clear that, at the base of any penetration testing exercise in a PCI DSS context, a clear and thorough definition of the scope in terms of cardholder data is mandatory and a rather critical task. Normally, just owning a strong competence in penetration testing would not suffice to do this. Without a consistent knowledge of the standard in all its facets and subtleties, and the ability to drill down into the whole card data flow, the outcome of any such testing would not be fully reliable. That explains why behind a good penetration test for a PCI DSS engagement usually stands a good PCI QSA (Qualified Security Assessor). The combined effort between QSA and penetration testing team throughout the assessment is in fact an essential requirement for the successful outcome of the entire campaign.