PCI DSS Penetration Testing

Helping you achieve & maintain PCI DSS compliance

Our PCI DSS testing service

The security of cardholder data is vital and if you are an organisation that processes credit card payments, you must comply with the Payment Card Industry Security Standard (PCI DSS). Penetration testing forms a key component of the PCI DSS requirements and where applicable, organisations should be testing their entire Card Data Environment (CDE), the systems that may impact the security of the CDE and any environment in scope on an annual basis, or when significant changes have been made.  

The scope and level of testing required will be determined by your PCI Qualified Security Assessor (QSA) and can include your internal and external infrastructure, applications and segmentation controls. 

The PCI DSS requirements for penetration testing include: 

  • Requirement 11.3.1 – Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment)  
  • Requirement 11.3.2 – Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment) 
  • Requirement 11.3.4 – If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE  

Our PCI DSS penetration testing has been designed to help you meet these requirements, whether you’re a small merchant (Level 4) or process millions of transactions per year (Level 1 & 2). But more than that, our service is here to support your security improvement, your remediation efforts and provide you with the assurance that your information security is as robust as possible. 

Pentest Ltd is not an accrediting body for PCI, this role is performed by a Qualified Security Assessor. However, we work closely with your QSA to confirm the scope of testing and the Cardholder Data Environment under review. The QSA will then use the Pentest report as part of the PCI DSS accreditation process and assist with the Report on Compliance (ROC). 

If you do not currently have a QSA our sister company, Xcina Consulting, can provide a full range of PCI DSS services as an accredited PCI QSA firm, such as gap analysis, Attestations on Compliance (AOC) and full Report on Compliance (ROC). 

PCI DSS - What we test

Our PCI DSS penetration testing service is designed to simulate a real-world attack and will be tailored to your exact needs. While some automated tools may be used, our testers manually, as required by the PCI DSS, investigate the target systems in scope, using their knowledge and expertise to uncover weaknesses which may be linked together in order to further exploit the environment and demonstrate how far they could potentially get within it. This depth of testing is not possible using automated scanners alone. 

The full scope of our testing will be decided by your PCI QSA, but can often include: 

Application Testing (Web & Mobile)

Our application testing service is aligned with industry standards such as OWASP & will look to uncover as many security vulnerabilities as possible within a target application, in the given timeframe. The issues we look for will include: injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as testing against OWASP Top 10 vulnerabilities. 

Network Infrastructure Testing

IT network infrastructure is vital to the day-to-day operation of modern business and forms a key component of your CDE. Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Segmentation Testing

Segmentation testing is designed to ensure your Card Data Environment is fully isolated from ‘out of scope’ systems and that effective measures and controls are in place to restrict access to your CDE. Our testing will utilise tools such as host discovery and port scanning to uncover any potential access points, verifying that isolated LANs do not have access. We will also review firewall configurations to ensure only authorised access is permitted to your critical environments.  

Wireless Network Testing

Wireless networks can provide malicious threats with a route into your environment, it is therefore important to gain assurances that your security is as effective as possible. Our wireless network testing service will be carried out onsite and is designed to uncover & evaluate potential rogue access points, insecure router configurations, Wi-Fi Protected Setup (WPS) weaknesses, unsecure wireless encryption & segregation, as well as susceptibility to attacks such as Evil Twin attacks. 

Approaching PCI DSS penetration testing

PCI DSS testing can follow one of three approaches and we will work with you to determine the approach that will provide your organisation with the best possible results. 

Black Box Approach

Black box testing mimics a real-life attack scenario, where we have basic knowledge of the application, but have no access to the source code or any admin/user credentials. 

Black box assessments are typically used by clients who wish to find out if a malicious threat could gain access to a web application from the outside.

White Box Approach

White box testing provides our consultants with a level of access prior to the test, whether it’s access to source code or user credentials. 

This type of testing assumes that an attacker already has some level of access within the application and is designed to understand the potential damage that can be achieved.

Grey Box Approach

This is our preferred approach to application penetration testing, as we believe it provides the best value test in terms of results. 

It is a hybrid approach (combining both white box and black box testing elements) and provides a security overview of the application from both the outside and the inside.

PCI DSS testing process

Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with your PCI DSS requirements. Below we outline the key stages our testing goes through:

1. Understanding your test requirements

No two organisations, or projects, are the same. We work closely with you to fully understand the CDE under review and any associated systems. We also review any relevant documentation & previous test findings.

2. Expert led, manual testing

Our testing services are conducted manually by our expert cybersecurity consultants and are designed to fully challenge your cybersecurity measures. All our consultants are directly employed by us, meaning we ensure the highest quality of service.

3. Reporting, tailored to your needs

Reporting isn’t just a piece of paper, it’s a process. Our reporting process can be tailored to suit your needs, providing you with timely, relevant, and detailed information, not just on our findings but also our expert remediation advice.

4. Post-test support & documentation

Our job doesn't finish on the delivery of a test report. We make our security consultants available after the test to provide remediation support and can provide fix checks, as well as additional documentation where necessary.

Like the sound of our PCI DSS approach?

You can find out more about our test process and why it sets us apart.

Find out more about PCI DSS penetration testing

Want to find out more about our PCI DSS penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.