PCI-DSS 3.2 compliance is a requirement for the Payment Card Industry (i.e. credit card processors). However, different rules apply depending on if you are considered a Merchant or a Service Provider.

A PCI Merchant is defined this way:
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

A PCI Service Provider is defined this way:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.

A company that is BOTH Merchant and Service Provider is defined this way:
Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Understanding whether or not your company is considered a Service Provider is extremely important. Obviously if you process, store or transmit cardholder data, you fall into the category of Service Provider. Additionally if you provide managed security services such as firewalls to protect and segment a Cardholder Data Environment (CDE) which contains things like Point of Sale systems and other back-office systems, then you are also very likely a Service Provider. Other examples of organizations that fall into this category are hosting companies, co-location providers, back office service companies, and billing account management companies.
So, what does this mean for PCI Service Providers?

Service Providers are required to have an ANNUAL penetration test that “thoroughly addresses the security of the environment”, including a test of the CDE segmentation controls. Six months after the annual penetration test, another penetration test (reduced in scope) must be performed that is solely focused on CDE segmentation controls (i.e. connectivity between in-scope and out-of-scope networks).

The six month clock starts after the initial test is completed.
Remediation of high severity exploitable vulnerabilities should be completed within 60 days in the case of segmentation issues. They must be immediately re-tested when ready.

So, what does this mean for PCI Merchants?

Merchants must understand who their Service Providers are and ensure that they have proper agreements with them. The agreements should call out the specific PCI-DSS requirements that a Service Provider needs to meet (e.g. 11.2, 11.3, 11.3.4.1, etc.).

Organizations that fall into the category of Technology Service Providers are called upon to become SOC 2 compliant. In order to achieve this compliance, they must pass an audit that covers five main security principles (known as the Trust Service Principles – TSP). These are checks against controls that assess security, availability, integrity, confidentiality and privacy.

SOC 2 audits have two main types (SOC 2 Type I and SOC 2 Type II). Roughly speaking, a Type I audit is a documentation and design review, whereas a Type II audit is a test of the effectiveness of the designed controls. Penetration testing would fall into the category of a security controls effectiveness test. But is it required? Technically speaking, there are no specific criteria in SOC 2 that mandates having a penetration test.

However, SOC 2 Common Criteria (Security) CC4.1 (COSO Principle 16) states:

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

So basically, a penetration test not be required IF the organization can demonstrate that another security assessment of equivalent coverage and thoroughness is done regularly (e.g. HIPAA Security and Privacy Assessments). Additionally, like many standards, interpretation from auditor to auditor can vary. As such, it is quite possible (and in the opinion of CyberHunter, quite likely) that an auditor will feel uncomfortable issuing a SOC 2 report for any organization unwilling to perform a penetration test. Obviously, if this happens you need to find a new auditing company or get the penetration testing done. In either case, we strongly recommend penetration testing as part of this exercise.

What does this mean for Pen Testing Service requirements?

If you do not have an equivalent security assessment (not just a vulnerability scan) being performed regularly, an entity seeking to obtain a SOC 2 report should conduct a penetration test every 6 to 12 months.

Why Penetration Testing as a Service is Important

CyberHunter offers penetration testing as a service for PCI-DSS, HIPAA and SOC 2 Audits. Ultimately, choosing a pen testing provider as a service partner will provide you with such benefits as:

• Tester continuity. We will come to know your environment and specific needs.
• Lower costs for subsequent tests. Familiarity with the environment and applications allow for a more efficient and thorough test at each subsequent point.
• Overall, a pen testing service partner like CyberHunter will provide you with the confidence and expert opinion to help guide you through these processes.