PCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probably even increase prices per day.
PCI v3.0 changes will increase the demand for and duration of penetration tests
Requirement 11.3 demands that companies develop and stick to a penetration testing methodology, citing NIST SP 800-115 as an example. This new requirement has two knock-on effects:
- It increases the documentation required to pass the pentest. Writing reports already takes about 30% of a consultant's time. Even if consulting companies have template penetration testing methodologies, these will have to be discussed with clients and potentially adopted, both of which costs additional time.
- While penetration testing has always been required by PCI DSS, version 2.0 did not define what a penetration test is. As a result, some companies, especially those using self-assessment questionnaires, simply submitted vulnerability scans or even an nmap scan and ticked the compliance box. With PCI DSS 3.0, this is no longer possible since a penetration test is much more clearly defined, specifically including exploitation as one of the techniques.
Requirement 11.3.3 calls for remediating all exploitable vulnerabilities and then retesting them. This has two levels of impact:
- I have talked to many security consultants over the years who have been frustrated that some customers never address the holes they point out, leaving the consultant to the futile exercise of copying and pasting last year's report. This will no longer fly this year, since you are required to remediate all exploitable vulnerabilities.
- In the case that you find exploitable vulnerabilities, you will have to retest these vulnerabilities. This may involve your booking a second round of security consultants.
Requirement 11.3.4 asks companies to carry out active tests to ensure that network segmentation is operational and effective. This is a new requirement that needs to be covered as a standard part of the penetration test. This will also extend the duration of the penetration test.
Penetration Testers will book out early - and hourly rates will go up
As a result of more people needed penetration tests and the penetration tests being longer in duration, prices may also increase as a function of increased demand. The supply of penetration testing services is inelastic, meaning it is hard to increase the supply of penetration testing services because it is hard to train new staff on penetration testing skills. As a result, penetration testing companies will increase their hourly rate as they're starting to get more and more booked out during the year, charging a premium for rising demand and to compensate for overtime payments and sacrificed vacations and weekend work.
Seven Tips for Booking Your PCI 3.0 Penetration Testing Services
- Book penetration testing services early and reserve your slots. You will save on the hourly rate and secure a slot to complete your audit on time.
- In the Statement of Work, include a clause that the security consultant will use a penetration testing methodology that is accepted under PCI DSS v.3.0 and that the consultant will include this methodology in their final report.
- Make space in your project plan and budget for remediation and a second round of penetration testing.
- Don't forget to book the second slot with the security consultant so that you have a time locked in to pass your audit on time.
- Ensure that network segmentation testing is covered as one of the actions in the Statement of Work.
- Pad your budget for increases in hourly rate and duration of penetration testing services for PCI DSS. Needs may vary depending on how early you book, how in-depth your previous year's penetration test was, and how much you have to remediate after the penetration test. As a rough estimate, a 30% increase will probably cover your increased spending.
- If you have the resources in-house, consider moving penetration tests in-house. For PCI, the resource needs to qualified and independent from the people who are responsible for the security of the Cardholder Data Environment (CDE).
How Rapid7 can help
- Rapid7 Professional Services offers penetration testing services and is an Approved Scanning Vendor (ASV)
- Metasploit Pro makes it feasible and more efficient to take your penetration testing in-house
- Rapid7 Nexpose is an approved solution for internal vulnerability scanning
Learn more about Rapid7's solutions for PCI DSS.
If you'd like to start a conversation, contact Rapid7. For more information about the new penetration testing requirements for PCI 3.0, view our free on-demand webcast “Implementing New Penetration Testing Requirements for PCI DSS 3.0“