PCI penetration testing requirements for merchants 2015

By Wolfgang Berner on 5. December 2014 in Market Insights


PCI DSS 3.0 will come into effect in January 2015, following which all players in the payment chain must comply with the updated PCI penetration testing requirements and security assessment procedures.

In a recent blog post we outlined how PCI DSS 3.0 will impact merchants using widget based payment pages. Under the new requirements, many merchants who were previously eligible for the reduced SAQ A (Self-Assessment Questionnaire) would need to complete an extended SAQ A-EP, with around 140 questions (as opposed to the 14 included in the basic SAQ A).

The extended SAQ A-EP also requires a more rigorous approach to penetration testing on the merchant side. While PCI penetration testing is commonplace in the payment provider space, the implication for merchants is an increase in the resources needed to ensure PCI compliance.

What is PCI penetration testing and why is it necessary?

PCI penetration testing is carried out to determine whether security weaknesses or vulnerabilities could be exploited by cyberattacks. External tests are carried out, replicating the conditions of a typical internet user, plus internal tests are done over internal IP addresses, which disables firewall blocks and allows for a wider range of attacks to expose any potential vulnerability. The OWASP Top 10 outlines the most critical web application security flaws, and this powerful awareness document guides penetration testing procedures in the industry.

PCI DSS 3.0 penetration testing is based on the NIST (National Institute of Standards and Technology) SP800-115 framework, and must cover application layer as well as network layer threats. Any security flaws that are found must be corrected and retested.

Regular PCI penetration testing is part of PAY.ON’s commitment to the PCI Security Standards Council, and necessary to ensure ongoing PCI DSS Level 1 compliance, however these tests would be carried out regardless of external forces, in order to ensure that our clients always benefit from the highest level of payment security.

PCI penetration and security testing processes evolve continuously, adapting to the changing security and risk landscape and reflecting the ongoing development of the payment platform we operate for our clients. Some aspects of PAY.ON’s penetration testing, like automatic security scans to OWASP 10 rules, are fully integrated into deployment processes.

PCI penetration testing requirements for merchants under PCI DSS 3.0

Previously, merchants who outsourced payment processing to a payment service provider would effectively outsource their penetration testing requirements. However, under PCI 3.0, merchants using widget based payment pages may only qualify for the extended SAQ A-EP. This would mean executing and providing evidence for penetration testing (detailed in section 11.3) that fulfils the stringent PCI compliance criteria.

For merchants who fall under the SAQ A-EP, penetration testing must be done on an annual basis, plus whenever significant infrastructure or application upgrades are made. Testers need to be organizationally independent from those implementing and maintaining security controls. Small and medium sized businesses may therefore have to retain a professional penetration testing firm to satisfy these requirements, increasing their costs and taking up valuable resources.

Although potentially disruptive for merchants, the goal of the PCI 3.0 update is to eliminate ambiguity about penetration testing and increase levels of compliance, ultimately creating a more secure environment for cardholder data.

Reducing PCI 3.0 penetration testing requirements

The PAY.ON team has been working hard on incorporating the new payment security standard, and has developed an elegant solution that reduces SAQ requirements for merchants using PAY.ON’s widget based payment page integration, COPYandPAY.

By reducing SAQ requirements, PAY.ON’s solution further reduces the burden for merchants. Those merchants who are using COPYandPAY and qualify for SAQ A will also avoid the need for rigorous penetration testing that accompanies SAQ A-EP.

It’s worth noting that although PCI 3.0 will take effect in January 2015, organizations do have until July 15 2015 to comply with the penetration testing (section 11.3) requirements. This is good news for merchants, who have some time to investigate how their payment providers will handle the changes to SAQ and penetration testing.

The good news for PAY.ON’s clients and their merchants is that all the necessary updates are handled behind the scenes, without the need for integration or configuration changes on the merchant side.

For more information:

Requirements and Security Assessment Procedures: Version 3.0 (PDF)

How do you think the new PCI standard will affect payment providers? Let us know in the comments below.



Wolfgang Berner

About the Author

Wolfgang BernerView all posts by Wolfgang Berner


Add comment

Leave a Reply

Your email address will not be published. Required fields are marked *