There’s a lot of truth to the old adage, “if you want it done right, do it yourself.” However, when it comes to testing your PCI 3.0 compliance efforts, it’s best to put your trust in an unbiased third party. The security of your data and the success of your audit might just depend on it. As we’ve recently successfully attained our own PCI 3.0 certification, we have been in your shoes.
Let’s say your team has carefully gone through the steps of defining your Cardholder Data Environment (CDE), limiting your scope with network segmentation methods and mapping the flow of data through your systems. You’ve made your inventory, identified all people, processes and technologies that interact with your data, and now you’re ready to validate your work. First you run credit card searches to make sure your data is where your diagrams say it is. Finally you decide it’s time for your pen test.
As I’m sure you know, pen tests will unearth any vulnerabilities at the network and application layer. If you’ve used segmentation methods to reduce the scope of your environment, the pen test will tell you if your segmentation methodology really is working properly. Obviously it’s an important element in compliance work, but this time it’s especially critical as PCI 3.0 regulations focus quite a bit on pen testing.
Remember, PCI DSS previously received feedback from auditors and organizations asking for clarity and guidance on many of the requirements. Pen testing is one of the areas that’s been clarified, which is a good thing – but it does mean that you’ll need to be sure your methodology matches PCI requirements. Whether you conduct your own pen test or use the services of a third party vendor, the methodology in question must satisfy PCI.
But here’s an important point many organizations miss: while it’s certainly possible to run your own internal tests, it’s nearly impossible to get an objective assessment unless you turn over testing to a third party. Sure, there’s a time and place for internal tests. But it’s the law of human nature to be biased when it comes to familiar ground. Someone might fail to pay careful attention to a system or investigate a negative finding because they’re sure they already know the backstory. Can an internal team completely independent from operations help? Somewhat, but they could still be swayed by information they’ve picked up from associates.
So here’s the inevitable conclusion: the most thorough and accurate pen test is one conducted by a third party. No, it’s not a PCI requirement, but it is a best practice. Outsiders won’t be biased by what they’ve heard in the company cafeteria and since they don’t work for you, they won’t be influenced by internal politics. Because they won’t know your history with specific networks and systems, they’ll go into the pen test with no expectations. This is exactly the kind of fresh slate you want for an effective and accurate evaluation.
After having a reputable and experienced third party conduct your pen test, you’ll want to review the results internally and with the test provider. Develop remediation strategies and implement controls to address any weaknesses, and then re-test. It goes without saying that this isn’t something your team should leave until the last minute; you want to get started well before your audit so you have ample time to address any findings.
When it comes to compliance, every organization wants to be as prepared as possible. Often our first inclination is to hunker down, roll up our sleeves and do all of the work ourselves. When it comes to pen testing, though, that’s like the fox guarding the henhouse – so this is one situation where it’s better to sit back and let an outsider take charge.