Standard: PCI Data Security Standard (PCI DSS) Version: 1.1 Date: September 2017 Author: Penetration Test Guidance Special Interest Group PCI Security Standards Council Information Supplement: Penetration Testing Guidance Information Supplement • Penetration Testing Guidance • September 2017 Document Changes Date Document Description Pages Version March 2015 1.0 Initial release All September 2017 1.1 A number of clarifications, including: Various • Clarified intent of “social engineering” in Terminology. • Clarified guidance on black-box testing. • Restructured Section 2.2 for better flow, and clarified language describing intent of PCI DSS Requirement 11.3. • Expanded guidance related to back-end APIs. • Updated references to PCI SSC resources. • Minor grammatical updates. The intent of this document is to provide supplemental information. Information provided here does not i replace or supersede requirements in any PCI SSC Standard. Information Supplement • Penetration Testing Guidance • September 2017 Table of Contents 1 Introduction ........................................................................................................................................................ 4 1.1 Objective ....................................................................................................................................................... 4 1.2 Intended Audience ........................................................................................................................................ 4 1.3 Terminology................................................................................................................................................... 4 1.4 Navigating this Document ............................................................................................................................. 5 2 Penetration Testing Components .................................................................................................................... 6 2.1 How does a penetration test differ from a vulnerability scan? ...................................................................... 6 2.2 Scope ............................................................................................................................................................ 7 2.2.1 External Penetration Test ....................................................................................................................... 8 2.2.2 Internal Penetration Test ........................................................................................................................ 8 2.2.3 Testing Segmentation Controls .............................................................................................................. 8 2.2.4 Critical Systems ...................................................................................................................................... 9 2.3 Application-Layer and Network-Layer Testing .............................................................................................. 9 2.3.1 Authentication ......................................................................................................................................... 9 2.3.2 PA-DSS Compliant Applications ............................................................................................................ 9 2.3.3 Web Applications .................................................................................................................................. 10 2.3.4 Separate Testing Environment ............................................................................................................. 10 2.4 Segmentation Checks ................................................................................................................................. 10 2.5 Social Engineering ...................................................................................................................................... 11 2.6 What is considered a “significant change”? ................................................................................................ 11 3 Qualifications of a Penetration Tester ........................................................................................................... 12 3.1 Certifications................................................................................................................................................ 12 3.2 Past Experience .......................................................................................................................................... 12 4 Methodology ..................................................................................................................................................... 14 4.1 Pre-Engagement ......................................................................................................................................... 14 4.1.1 Scoping ................................................................................................................................................. 14 4.1.2 Documentation ..................................................................................................................................... 14 4.1.3 Rules of Engagement ........................................................................................................................... 15 4.1.4 Third-Party-Hosted / Cloud Environments ............................................................................................ 16 4.1.5 Success Criteria ................................................................................................................................... 16 4.1.6 Review of Past Threats and Vulnerabilities .......................................................................................... 16 4.1.7 Avoid scan interference on security appliances. .................................................................................. 17 4.2 Engagement: Penetration Testing............................................................................................................... 17 4.2.1 Application Layer .................................................................................................................................. 18 4.2.2 Network Layer....................................................................................................................................... 18 4.2.3 Segmentation ....................................................................................................................................... 19 4.2.4 What to do when cardholder data is encountered ................................................................................ 19 The intent of this document is to provide supplemental information. Information provided here does not ii replace or supersede requirements in any PCI SSC Standard. Information Supplement • Penetration Testing Guidance • September 2017 4.2.5 Post-Exploitation ................................................................................................................................... 19 4.3 Post-Engagement ....................................................................................................................................... 19 4.3.1 Remediation Best Practices ................................................................................................................. 19 4.3.2 Retesting Identified Vulnerabilities ....................................................................................................... 20 4.3.3 Cleaning up the Environment ............................................................................................................... 20 4.4 Additional Resources .................................................................................................................................. 20 5 Reporting and Documentation ........................................................................................................................ 21 5.1 Identified Vulnerability Reporting ................................................................................................................ 21 5.1.1 Assigning a Severity Score................................................................................................................... 21 5.1.2 Industry Standard References .............................................................................................................. 22 5.2 Reporting Guidelines ................................................................................................................................... 22 5.2.1 Penetration Test Report Outline ........................................................................................................... 22 5.2.2 Retesting Considerations and Report Outline ...................................................................................... 23 5.3 Evidence retention ...................................................................................................................................... 24 5.3.1 What is considered evidence? ............................................................................................................. 24 5.3.2 Retention .............................................................................................................................................. 24 5.4 Penetration Test Report Evaluation Tool ...................................................................................................