PCI DSS penetration testing
complying with payment card data security standards
The security of cardholder data is vital for many organisations and PCI DSS (Payment Card Industry Data Security Standard) compliance requires that penetration testing is performed at least annually, or after significant changes are made to the infrastructure, applications or systems that store, process or transmit sensitive cardholder data.
The goals of penetration testing in relation to PCI DSS are:
- To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
- To confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation, required in PCI DSS are in place.
As with all PCI DSS engagements, the scope of testing will be decided by the PCI Qualified Security Assessor (QSA). Pentest would test against this scope and provide feedback as part of the accreditation process. If required, our sister company, Xcina Consulting, can provide a full range of PCI DSS services and are an accredited PCI QSA firm.
the benefits of penetration testing as part of PCI DSS compliance
Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are complying with PCI DSS requirements. Below we outline the key stages our penetration testing goes through:
We work with you to fully understand your organisation, the past threats and vulnerabilities encountered, the types of testing to be performed, your cardholder data environment and any associated systems which may affect your CDE.
2. proposal & prerequisites
A proposal will be drawn up outlining the planned scope of work, the set rules of engagement and any preparations needed to allow us to start testing.
Testing commences once the proposal has been agreed and signed authorisation has been granted.
4. ongoing communication
Our consultants will communicate with you throughout the test, to your set requirements.
A comprehensive, quality assured report of test findings, and associated remediation advice, will be delivered.
6. post-test support
Our consultants will be available after the test to offer advice and guidance on any aspect of the report, as well as remediation efforts.
We will conduct a retest once remediation has been complete, ensuring the vulnerabilities found during testing have been successfully mitigated.
why choose us
Want to find out more about our PCI DSS penetration testing services? Our team are on hand to provide you with the information and support you need. Fill out the form below and one of our team will be in touch shortly.