Penetration Testing to Ensure PCI Compliance in State and Local Governments

For state and local governments that accept credit card payments — and that’s virtually all of them — there is a deadline looming. By March 31, 2024, any organization that takes credit cards will need to comply with the latest version of the Payment Card Industry Data Security Standard, or PCI DSS 4.0.

Under version 4.0, it isn’t enough just to implement the right controls. Within the new standard, “there are requirements to make sure that you’re regularly monitoring them and testing them,” says Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf Networks.

Routine penetration testing can ensure that government agencies are meeting their obligations under PCI DSS. “The role of penetration testing is to help detect network and application vulnerabilities operating inside the network and to resolve these vulnerabilities,” says Ciske van Oosten, head of global business intelligence at Verizon and lead author of the Verizon 2023 Payment Security Report. “It’s important to test a network regularly.”

Click the banner below to learn more about cybersecurity program strategy and operations.

What Is PCI Compliance? 

In support of secure credit card transactions, “PCI is an industry standard that basically regulates how credit cards are processed and sets forth a standard set of security requirements designed to ensure the protection of sensitive data associated with credit card payments,” says Alan Shark, executive director at the Public Technology Institute, a division of Fusion Learning Partners.

“This becomes particularly important to state and local governments, because government has far more sensitive data than perhaps any business and also accepts credit card payments,” he says. In government, “credit card payments through websites and through other transactions have become quite commonplace. How are we keeping up with it? What are the questions that local governments should be asking?”

By asking the right questions and implementing appropriate controls according to a defined standard, state and local agencies can go a long way toward improving security.

“If you're compliant with PCI, it really does reduce the likelihood of data breaches and the reputational damage associated with that,” says Kayne McGladrey, IEEE Senior Member and field CISO at compliance management platform Hyperproof.

What Are the 12 PCI DSS Compliance Standards? 

The 12 requirements under PCI DSS cover a wide range of technologies, according to Lauren Holloway, director of data security standards at the PCI Security Standards Council. The 12 items require IT teams to install and maintain network security controls, apply secure configurations to all system components and protect stored account data.

PCI DSS looks at the data aspects of credit card handling, an urgent need in the current technology landscape.

“So much data is stored digitally these days. PCI DSS is a recognition that we do have a digital economy at this point and that it’s essential to have controls at the digital level,” McGladrey says.

Government organizations need to protect systems and networks from malicious software; develop and maintain secure systems and software; and identify users and authenticate access to system components, among other things. And, they need to “test security of systems and networks regularly,” Holloway says.

The 12 key requirements include 78 base requirements, “as well as over 400 test procedures,” McGladrey says. In particular, PCI DSS testing includes requirements governing penetration testing, as part of an emerging emphasis on long-term security.

“In PCI 4.0, there is a new focus on long-term security processes. PCI used to be perceived as a one-and-done; you'd do it annually. This is much more about maintaining controls during the year,” McGladrey says.

Within that paradigm, PCI penetration testing evaluates the security of the cardholder data environment, as well as networks or systems connected to that environment. Through both automated and manual processes, “testers are looking for hidden vulnerabilities,” Shark says.

McGladrey adds that PCI DSS 4.0 builds upon the best practices established in PCI DSS 3.2.1.

“While internal resources may conduct penetration tests to discover exploitable vulnerabilities and security weaknesses, most organizations will likely hire a qualified penetration tester” to meet the 4.0 requirements, he says. “In both scenarios, organizations must outline, document and put into practice a penetration testing methodology that encompasses both internal and external testing across the complete cardholder data environment, which may also extend to APIs.”

According to the PCI Security Standards Council, the goals of penetration testing are “to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data,” and to confirm “that the applicable controls required by PCI DSS — such as scope, vulnerability management, methodology, and segmentation — are in place.” 

READ MORE: Why states should appoint chief privacy officers and give them authority.

The council identifies three types of penetration tests: black-box, white-box and grey-box.

In a black-box assessment, the agency would provide no information before the testing starts. In a white-box assessment, “the entity may provide the penetration tester with full and complete details of the network and applications,” according to the Council. “For grey-box assessments, the entity may provide partial details of the target systems.”

PCI DSS penetration tests typically are either white-box or grey-box assessments. “These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a pure black-box assessment,” the Council notes.

Whichever form of assessment one chooses, “PCI penetration testing should be performed annually or when a major change is made in the infrastructure,” PTI’s Shark says.

“The scope of the test should include all systems, networks and applications that are part of or connected to the credit card processing entity. All tests and results or findings — including vulnerabilities, data exposure and system compromises — must be reported,” he says.

How Does Encrypted Data Assist with PCI DSS Compliance? 

Encryption encodes human-readable text, “rendering it unreadable by anybody who should not have access to it,” says Arctic Wolf’s Manglicmot. “You want to do that because, if a hack occurs and those other controls break down, the hacker will only get the encoded version of the data and not a human-readable form of it.”

As a rule, encryption is a baseline requirement in PCI DSS.

“The data relevant to payment card information needs to be encrypted,” Manglicmot says. “If they store any of that card data, they need to encrypt it while it's in storage. When payment card data is being transmitted to the payment card company, they absolutely have to make sure that it's encrypted in transit, and they should be making sure that the vendors and partners they use for that have encryption that meets PCI controls.”

These encryption requirements in turn have an impact on the ways in which penetration testing is conducted.

If a tester stores cardholder data obtained during the assessment, for example, “the data must be stored by the tester following the guidelines of the PCI DSS for the storage of account data,” meaning it either must be encrypted using strong cryptography, truncated or not stored at all, according to the PCI Security Standards Council.

Overall, encryption “needs to be in anything that stores or transmits payment card information,” Manglicmot says. “This includes web browsers and storage, if you're storing it on any sort of hard drive or in the cloud. If you have a vendor that is processing that credit information, you need to make sure that you have a reputable one that is in compliance with PCI standards.”