Any organization that processes, stores, or transmits payment card data has to comply with the Payment Card Industry Data Security Standards (or PCI DSS). Whether you’re a mom-and-pop soda shop or a retail Goliath, you have to abide by this set of industry-created and industry-maintained data security guidelines.

For every organization subject to PCI DSS, that means annual compliance demonstration and regular security tests – sometimes self-administered and sometimes conducted by a third-party organization in a PCI compliance audit. One of these important tests is called a “penetration test,” and it offers some useful insight into how and why PCI DSS works.

How a Penetration Test Works

What is a penetration test?

On one level, it’s a network attack like any other, but this “attack” is conducted by yourself or a third-party security partner in an attempt to expose potential vulnerabilities. Make no mistake: it’s a full-fledged attempt to break into your system and try to get credit card data. At its most effective, a penetration test will simulate attacks ranging from malicious software to human hacking, detailing whether your system’s defenses stand or fall.

PCI requires one of these tests be conducted annually. It doesn’t have to be done by a third party, but most organizations find that they want to use a partner. That partner can provide an objective view without being biased by prior knowledge of your system, and they can also bring specialized expertise in the most common attack techniques, so they can conduct the same activities that the bad guys will, giving you the most relevant perspective of your susceptibility. They won’t have extensive knowledge of your particular network environment – including its particular strengths and weaknesses – so they can bring an authentic intruder’s perspective.

Why You Need an Authentic Intruder’s Perspective 

An authentic intruder’s perspective is essential. A penetration test isn’t just kicking the tires of your system, but it’s also taking it out for a drive and making sure it holds up to the rigors of the road – including the treacherous curves of real intruders and real malware. In the past, some businesses in do-it-yourself-mode downloaded sketchy and unreliable “penetration test tools” online to fulfill this PCI DSS requirement.

But the most recent version of the standard clarifies that the test has to be conducted according to generally accepted methodologies. In the current environment, you can still conduct the test yourself, and use more widely respected software and processes, but many organizations seek out third-party security experts for the comprehensiveness and sense of confidence they confer.

Here’s why: the simple fact is, there’s no point in conducting a penetration test if you’re not going to take it seriously. You could say the same about network security in general: it needs to be part of a robust effort to protect your business and protect consumers’ data. When conducted seriously and regularly, these tests can help safeguard your customers, your sensitive data, and your business going forward.

LBMC Information Security reviews compliance efforts can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us.