PCI DSS 3.0: Changes to penetration testing requirements for merchants

PCI DSS 3.0 will come into effect in January 2015, following which all players in the payment chain must comply with the updated requirements and security assessment procedures. Under the new requirements, many merchants who were previously eligible for the reduced SAQ A (Self-Assessment Questionnaire) would need to complete an extended SAQ A-EP, with around 140 questions (as opposed to the 14 included in the basic SAQ A).

The extended SAQ A-EP also requires a more rigorous approach to penetration testing on the merchant side. While penetration testing is commonplace in the payment provider space, the implication for merchants is an increase in the resources needed to ensure PCI compliance.

What is penetration testing and why is it necessary?

Penetration testing is carried out to determine whether security weaknesses or vulnerabilities could be exploited by cyber attacks. External tests are carried out, replicating the conditions of a typical internet user, plus internal tests are done over internal IP addresses, which disables firewall blocks and allows for a wider range of attacks to expose any potential vulnerability. The OWASP Top 10 outlines the most critical web application security flaws, and this powerful awareness document guides penetration testing procedures in the industry.

PCI DSS 3.0 penetration testing is based on the NIST (National Institute of Standards and Technology) SP800-115 framework, and must cover application layer as well as network layer threats. Any security flaws that are found must be corrected and retested.

Regular penetration testing is part of our commitment to the PCI Security Standards Council, and necessary to ensure ongoing PCI DSS Level 1 compliance, however these tests would be carried out regardless of external forces, in order to ensure that our clients always benefit from the highest level of payment security.

Penetration and security testing processes evolve continuously, adapting to the changing security and risk landscape and reflecting the ongoing development of the payment platform we operate for our clients. Some aspects of our penetration testing, like automatic security scans to OWASP 10 rules, are fully integrated into deployment processes.

Penetration testing requirements for merchants under PCI DSS 3.0

Previously, merchants who outsourced payment processing to a payment service provider would effectively outsource their penetration testing requirements. However, under PCI 3.0, merchants using widget based payment pages may only qualify for the extended SAQ A-EP. This would mean executing and providing evidence for penetration testing that fulfils the stringent PCI compliance criteria.

For merchants who fall under the SAQ A-EP, penetration testing must be done on an annual basis, plus whenever significant infrastructure or application upgrades are made. Testers need to be organizationally independent from those implementing and maintaining security controls. Small and medium sized businesses may therefore have to retain a professional penetration testing firm to satisfy these requirements, increasing their costs and taking up valuable resources.

Although potentially disruptive for merchants, the goal of the PCI 3.0 update is to eliminate ambiguity about penetration testing and increase levels of compliance, ultimately creating a more secure environment for cardholder data.

Reducing PCI 3.0 penetration testing requirements

The AllSecure team has been working hard on incorporating the new payment security standard, and has developed an elegant solution that reduces SAQ requirements for merchants using our widget based payment page integration, SecurePay.

By reducing SAQ requirements, our solution further reduces the burden for merchants. Those merchants who are using SecurePay and qualify for SAQ A will also avoid the need for rigorous penetration testing that accompanies SAQ A-EP.

It’s worth noting that although PCI 3.0 will take effect in January 2015, organizations do have until July 15 2015 to comply with the penetration testing requirements. This is good news for merchants, who have some time to investigate how their payment providers will handle the changes to SAQ and penetration testing.

The good news for AllSecure’s clients is that all the necessary updates are handled behind the scenes, without the need for integration or configuration changes on the merchant side.