PCI DSS penetration testing

complying with payment card data security standards

The security of cardholder data is vital for many organisations and PCI DSS (Payment Card Industry Data Security Standard) compliance requires that penetration testing is performed at least annually, or after significant changes are made to the infrastructure, applications or systems that store, process or transmit sensitive cardholder data. 

The goals of penetration testing in relation to PCI DSS are:  

  1. To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data. 
  2. To confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation, required in PCI DSS are in place.

As with all PCI DSS engagements, the scope of testing will be decided by the PCI Qualified Security Assessor (QSA). Pentest would test against this scope and provide feedback as part of the accreditation process. If required, our sister company, Xcina Consultingcan provide a full range of PCI DSS services and are an accredited PCI QSA firm. 

the benefits of penetration testing as part of PCI DSS compliance 

uncover vulnerabilities & prioritise improvement efforts

Penetration testing allows you to identify and classify your most critical vulnerabilities, providing you with vital remediation advice. This gives you the information you need to make informed decisions regarding your security, to effectively prioritise improvement efforts and to reduce the overall likelihood of compromise.

protect your reputation

A breach of cardholder data can lead to financial, operational and reputational damage for your organisation. Testing should therefore be carried out on a regular basis, helping protect you from potentially damaging cyber-attacks.

gain security buy-in

Obtaining budget for security improvements can be difficult. Our penetration testing can give you a clear picture of your current situation, providing you with the support you need to gain all important security buy-in.

our approach

Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are complying with PCI DSS requirements. Below we outline the key stages oupenetration testing goes through:  

Penetration testing approach - Pentest - Information security assurance

1. scoping

We work with you to fully understand your organisation, the past threats and vulnerabilities encountered, the types of testing to be performed, your cardholder data environment and any associated systems which may affect your CDE.

2. proposal & prerequisites

A proposal will be drawn up outlining the planned scope of work, the set rules of engagement and any preparations needed to allow us to start testing.

3. testing

Testing commences once the proposal has been agreed and signed authorisation has been granted.

4. ongoing communication

Our consultants will communicate with you throughout the test, to your set requirements.

5. reporting

A comprehensive, quality assured report of test findings, and associated remediation advice, will be delivered.

6. post-test support

Our consultants will be available after the test to offer advice and guidance on any aspect of the report, as well as remediation efforts.​

6. retest

We will conduct a retest once remediation has been complete, ensuring the vulnerabilities found during testing have been successfully mitigated.

why choose us

experience and expertise

Our team of security consultants have years of experience in information security testing, hold numerous qualifications and have worked with many companies to provide penetration testing as part of their PCI DSS compliance process.

part of Shearwater Group plc

As part of Shearwater Group plc, we can offer a wide range of additional services based around PCI DSS compliance. Xcina Consulting, our sister company, are a PCI Qualified Security Assessor (QSA) firm and their PCI practitioners are PCI DSS QSA accredited. Their services include PCI gap analysis, Remediation and compensating controls, Guidance on production of Self-Assessment Questionnaires, Attestations on Compliance (AOC), as well as full Report on Compliance (ROC) and sign off.

post-test support

Our consultants will be available after our test report has been delivered, offering guidance on any aspect of the report, as well as to provide support for your remediation efforts.

dedicated account management

Every client is appointed a dedicated account manager to oversee the testing process and we work with all relevant stakeholders to ensure that the best possible outcome is achieved.

contact us

Want to find out more about our PCI DSS penetration testing services? Our team are on hand to provide you with the information and support you need. Fill out the form below and one of our team will be in touch shortly.