Effective July 1, 2015, businesses validating their compliance via PCI SAQ version C are required to undergo a penetration test for the very first time. Brick-and-mortar merchants with payment applications connected to the Internet (but that do not electronically store cardholder data) are subject to SAQ C.
This new requirement can be a tough pill to swallow for the typical organization watching every dollar, not to mention one that has no experience with having a penetration test performed or may not even know what a pen test actually is (and is not).
Why Penetration Tests Exist
Day in and day out, hackers are leveraging the Internet to actively attack businesses’ IT networks. Their goal is to access sensitive customer data, such as personally identifiable information (PII) and cardholder data (CHD). If a business effectively segments its environments where this sensitive data is transmitted, processed and/or stored, then the hacker cannot get in to steal it.
A professional penetration tester thinks and works like a hacker, utilizing a combination of manual and automated techniques in an attempt to penetrate the network’s security protocols. They use the same tools and methods that real hackers use. Among other things, the results of a pen test exercise will show whether the business’s IT network is properly segmented to isolate sensitive data.
The Small Business Struggle
Payments industry stakeholders know that the businesses completing SAQ C are typically mom-and-pop retailers, healthcare providers (such as dentist and doctor offices), and small companies that only have one location. They also know that these types of businesses don’t often have money set aside for advanced security testing.
Don’t be misled. In many cases, a full penetration test may not be necessary to meet the requirements in PCI SAQ version C. What’s necessary is to demonstrate that your network is properly segmented so that a hacker cannot get to your sensitive data.
Cost-Effective Segmentation Validation
Small businesses often only have one or two IPs, so a network segmentation validation test can provide a cost-effective alternative to meeting the goals of a penetration test for merchants complying with PCI SAQ version C. A segmentation validation test is certainly not an equal substitute for an actual penetration test, but for small merchants with a simple network, this type of test can serve as a feasible alternative.