For any business that handles credit card data, penetration testing has been a requirement since 2013. That’s when the Payment Card Industry Security Standards Council (PCI SSC) updated its compliance regulations to reflect the real and growing risk hackers pose to the trustworthiness of the credit card industry. Version 3.0 of the council’s Payment Card Industry Data Security Standard (PCI DSS) beefed up the pen testing requirements merchants must meet – regardless of any other industry standards they’re following.
You can be 100 percent in compliance with your industry regulations including ISO 27001, NIST, FISMA, HIPAA, Sarbanes-Oxley and even PCI DSS, however, that doesn’t mean you’re ready to withstand a skilled human threat. Compliance does not equal defense, especially if compliance is simply viewed as a box to be checked a single time and then forgotten.
Unfortunately, some of the highest profile breaches of the last several years could have been avoided through regularly scheduled pen testing conducted with industry-accepted methodology. Think of Target’s $200 million in credit card fraud and replacement costs in 2013. Or Home Depot’s $80 million loss in insurance reimbursements after it lost control of 56 million credit card accounts in 2014. The numbers are even more dire for smaller merchants. Shockingly, sixty percent of small businesses that suffer significant cyberattacks close within six months of a breach.
The great military strategist Sun Tzu said, “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” Winning first in IT security starts with identifying your weaknesses, figuring out how to exploit them and then using that experience to strengthen your defenses.
Vulnerability assessments are the first step. From there, a skilled managed security services provider can help you prioritize the findings and determine which need to be explored through pen testing. If the ethical hackers who perform your pen test manage to breach your security systems, you’ll learn what you need to do next to protect your most critical systems – and your customers’ credit card data.
Ready to learn more about pen testing and compliance? Download our free e-book, “Pen Testing: Thinking Like Your Enemy Yields World Class Security.”