Regulatory Compliance in Healthcare Organizations

Tuesday, May 15, 2018, 6:00 AM | Leave Comment

Financial institutions that process payments should protect the data of a cardholder, as per the requirements of Data Security Standard (DSS) of the Payment Card Industry (PCI).

Although there are numerous prescriptive elements in the industry, companies are often confounded with penetration testing.

Organizations must therefore discover methods of testing penetrations to ensure protection of cardholder data.

PCI DSS Penetration Testing

  • Primary elements of penetration testing

    There are 3 common types of testing PCI DSS. There is no information provided by black-box valuations unless the test starts. White-box assessments require penetration testers with application and network details. On the other hand, grey-box assessments employ target systems’ partial information.

    Grey-box and white-box assessments provide organizations with better insights. The company data availed by organizations restructures the procedure. It is therefore lest costlier and needs less time and fewer resources.

  • How penetration tests record varying vulnerability scans

    A vulnerability scan, just as the name suggests seeks to identify and classify threats to a system. In the past, companies used to conduct quarterly vulnerability scans or when vast changes had been effected on data environments.

    Today, penetration testing is conducted occasionally to scan, identify and neutralize threats in security features. Simply put, the procedure should be a purposeful process of trying to hack into a system.

    On the other hand, vulnerability scanning examines an ecosystem for potential threats. This deliberate process is manual and takes more time. However, it is a comprehensive examination that yields more results. It should be done annually as opposed to quarterly.

  • How companies define the latitude of cardholder data environments (CDE)

    The official definition of CDE from PCI is “the people, process, and technology that store, process, or transmit cardholder or sensitive authentication data.” An organization’s first step in testing penetration should be defining the latitude for compliance to PCI regulation.

    In so doing, organizations should consider a set of guidance notes for CDE aspects.

    Firstly, payment processing companies should consider unique accessing of public networks especially in restricted IP address situations.

    Secondly, they need to investigate how people access information via internal critical systems.

    Networks assessment systems and their application should be the bulk of testing. To guarantee no cross contamination, companies that have segmented their data should tests their systems beyond CDE ecosystems. This segmentation ensures that information is separated.

    Finally, compromises must be made to ensure cardholder data is safe, thereby deeming that systems and networks are out of scope. This safety must be in concept and not just on paper.

  • Defining a “critical system”

    Critical systems according to PCI DSS are label systems that are involved in protecting or processing cardholder data. Examples are public-facing devices, security systems and any other credentials that track, transmit or process cardholder data. Therefore, ecommerce redirection servers, authentication systems, intrusion detection and prevention systems are all critical. Critical systems are all procedures that support and manage CDE.

  • Differences between network layer testing and application layer testing

    Of late, malicious capitalized on vulnerabilities in the application layer of systems. Companies that were targeted are those that used mobile applications, third-party software, legacy applications, and internally developed software. To test software weaknesses testing the application layer is imperative.

    At the same time, testing network layers emphasizes on devices in a company’s ecosystem. For instance, testing network layers involves finding weaknesses in routers, firewalls, servers and switches. Threats could be default passwords, unpatched systems and wrongly configured devices.

  • What are PCI DSS requirements of network-layer and application-layer tests?

    Networks must test the authentication web applications, PA-DSS compliance and separate testing environment as per standards of PCI DSS penetration testing.

    Companies must reevaluate the access and roles of employee data for proper authentication. Customers must only access own data. Cardholder client controls and workforce user controls must be tested.

    Web credentials have a different challenge. Some companies employ web-mail, document sharing tools and other credentials that aren’t suited for their objectives. Instead of a test on application layer, organizations must emphasize on analyzing network layers to guarantee proper configuration, implementation and maintenance.

    Finally, the ecosystem of penetration testing usually interrupts normal processes. To avoid disruption and ensure proper speed of processes, organizations must test real life environments.

  • Defining a “significant change”

    The risk assessment defines a significant change where additional testing is required. While there is no distinct definition, it’s upon a company to determine when upgrades are needed. Where risks to the CDE are imperative, penetration testing should be done.

  • How automating compliance eases the burden of penetration testing

    Organizations can employ software like ZenGRC to attain easy-to-read results. Our dashboard that is PCI DSS compliant enables organizations to check health status fast while enlisting an organization’s threats.

Now, companies must limit time and insights to just when the scan was conducted. It’s important to have software that continually upgrades abilities to enable companies respond better to threats.

Author Bio

ken lynch reciprocityKen Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at

Throw us a like at

Post a Comment on Content of the Article


This is not a billboard for your advertisement. Make comments on the content else your comments would be deleted promptly.

CommentLuv badge