Watch Derek Rush, Managing Senior Consultant II at Bishop Fox demystifying the intricacies of proper penetration testing for the Payment Card Industry Data Security Standard (PCI DSS). With extensive experience as both a security consultant performing penetration testing and a Qualified Security Assessor, Derek has firsthand insight into the challenges and opportunities organizations face in achieving PCI DSS compliance. 

This session provides an in-depth exploration of how comprehensive penetration testing services, including application, network, social, and cloud penetration testing can serve as pivotal tools in not only meeting the mandatory requirements of the PCI DSS, including the Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC), but also in adhering to its non-mandatory guidance recommendations.

Ideal for IT and cybersecurity professionals alike, this session promises to be an indispensable resource for anyone interested in strengthening their defenses for their segmented networks, such as cardholder data environments, by leveraging penetration testing against the evolving landscape of cyber threats.

Session Summary

In this comprehensive session, a former Qualified Security Assessor (QSA) draws from a decade of penetration testing experience to reveal how organizations can extract maximum security value from PCI DSS-required penetration testing. The presenter highlights the critical disconnect between minimum compliance requirements and industry best practices, explaining that while the PCI DSS standard mandates penetration testing, the supplementary guidance documents provide the detailed framework needed to conduct truly effective assessments.

The session methodically analyzes each testing component required by PCI DSS, including external, internal, segmentation, and application testing, highlighting how organizations can expand their scope beyond the bare minimum to reflect real-world attack scenarios. Through public breach case studies involving Target, Home Depot, and Equifax, the presenter demonstrates how threat actors consistently exploit indirect paths to cardholder data—compromising third-party vendors, leveraging pre-owned credentials, and moving laterally through networks. These examples reinforce why effective penetration testing must include elements often overlooked in compliance-focused assessments, such as social engineering, testing from multiple network segments, and evaluating all segmentation controls beyond simple firewall rules.

The most compelling insights come from consulting case studies demonstrating how attackers bypass traditional security boundaries to access cardholder data environments (CDEs). These examples illustrate how systems management tools, vulnerability scanners, authentication inconsistencies, and other indirect attack paths can provide access to cardholder data without directly attacking in-scope systems. The presenter argues that organizations focusing solely on direct attacks against their CDE miss the most likely compromise scenarios, emphasizing that PCI compliance should be viewed as a foundation for security rather than its ultimate goal. The session concludes with practical advice on selecting qualified vendors, avoiding common testing pitfalls, and ensuring assessments will satisfy QSA requirements while providing meaningful security insights.

Key Takeaways

1. Follow guidance, not just requirements - The PCI DSS requirements provide baseline expectations, but the supplementary guidance documents offer crucial details on conducting truly effective penetration testing that addresses real-world threats.
2. Test from multiple perspectives - Effective penetration testing should evaluate security from various vantage points, including different network segments, user roles, and tenant environments to identify potential lateral movement opportunities.
3. Include social engineering - Despite being a primary attack vector in major breaches, social engineering is often omitted from PCI testing. Organizations should incorporate phishing and other social engineering techniques to evaluate both technical controls and user awareness.
4. Assess all segmentation methods - Organizations typically use multiple controls beyond firewalls to segment environments, including authentication mechanisms, jump hosts, and network design. Testing should evaluate all these controls rather than focusing solely on network-level segmentation.
5. Examine indirect attack paths - Systems management tools, vulnerability scanners, shared services, and inconsistent MFA implementation often provide attackers with indirect routes to cardholder data. Testing should encompass these paths rather than focusing exclusively on direct attacks.
6. Temporarily exempt testing from security controls - Allow penetration testers to bypass preventative controls like web application firewalls during testing to assess the actual security of underlying systems rather than the effectiveness of protection technologies.