PCI DSS penetration testing

Helping you achieve & maintain PCI DSS compliance

PCI DSS compliance & our penetration testing service

The security of cardholder data is vital and if you are an organisation that processes credit card payments, you must comply with the Payment Card Industry Security Standard (PCI DSS). Penetration testing forms a key component of the PCI DSS requirements and where applicable, organisations should be testing their entire Card Data Environment (CDE), the systems that may impact the security of the CDE and any environment in scope on an annual basis, or when significant changes have been made.  

The scope and level of testing required will be determined by your PCI Qualified Security Assessor (QSA) and can include your internal and external infrastructure, applications and segmentation controls. 

The PCI DSS requirements for penetration testing include: 

  • Requirement 11.3.1 – Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment)  
  • Requirement 11.3.2 – Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment) 
  • Requirement 11.3.4 – If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE  

Our PCI DSS penetration testing has been designed to help you meet these requirements, whether you’re a small merchant (Level 4) or process millions of transactions per year (Level 1 & 2). But more than that, our service is here to support your security improvement, your remediation efforts and provide you with the assurance that your information security is as robust as possible. 

Pentest Ltd is not an accrediting body for PCI, this role is performed by a Qualified Security Assessor. However, we work closely with your QSA to confirm the scope of testing and the Cardholder Data Environment under review. The QSA will then use the Pentest report as part of the PCI DSS accreditation process and assist with the Report on Compliance (ROC). 

If you do not currently have a QSA our sister company, Xcina Consulting, can provide a full range of PCI DSS services as an accredited PCI QSA firm, such as gap analysis, Attestations on Compliance (AOC) and full Report on Compliance (ROC). 

Find out more about Pentest

Find out more about Pentest, the support we offer and
the reasons clients choose us.

What we test

Our PCI DSS penetration testing service is designed to simulate a real-world attack and will be tailored to your exact needs. While some automated tools may be used, our testers manually, as required by the PCI DSS, investigate the target systems in scope, using their knowledge and expertise to uncover weaknesses which may be linked together in order to further exploit the environment and demonstrate how far they could potentially get within it. This depth of testing is not possible using automated scanners alone. 

The full scope of our testing will be decided by your PCI QSA, but can often include: 

Application Testing (Web & Mobile)

Our application testing service is aligned with industry standards such as OWASP & will look to uncover as many security vulnerabilities as possible within a target application, in the given timeframe. The issues we look for will include: injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as testing against OWASP Top 10 vulnerabilities. 

Network Infrastructure Testing

IT network infrastructure is vital to the day-to-day operation of modern business and forms a key component of your CDE. Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Segmentation Testing

Segmentation testing is designed to ensure your Card Data Environment is fully isolated from ‘out of scope’ systems and that effective measures and controls are in place to restrict access to your CDE. Our testing will utilise tools such as host discovery and port scanning to uncover any potential access points, verifying that isolated LANs do not have access. We will also review firewall configurations to ensure only authorised access is permitted to your critical environments.  

Wireless Network Testing

Wireless networks can provide malicious threats with a route into your environment, it is therefore important to gain assurances that your security is as effective as possible. Our wireless network testing service will be carried out onsite and is designed to uncover & evaluate potential rogue access points, insecure router configurations, Wi-Fi Protected Setup (WPS) weaknesses, unsecure wireless encryption & segregation, as well as susceptibility to attacks such as Evil Twin attacks. 

Social Engineering

Employees are often targeted by malicious threats, looking to deceive or coerce them into clicking on links, handing over sensitive information or performing actions that may compromise the security of your environment. Using social engineering attacks techniques is not a requirement for PCI DSS compliance, however, where required, we can simulate social engineering approaches, tailoring our approach to your organisation and the maturity of your security awareness program. 

Approach to PCI DSS testing

PCI DSS testing can follow one of three approaches and we will work with you to determine the approach that will provide your organisation with the best possible results. 

Black Box Testing Approach

This mimics a real-life attack scenario, where we have no knowledge of the environment and have no access to the source code or any admin/user credentials. Black box assessments are typically used by clients who wish to find out if a malicious threat could gain access to an environment from the outside. 

White Box Testing Approach

White box testing provides us with a level of access prior to the test, whether it’s access to source code or user credentials. This type of testing assumes that an attacker has already achieved access to the environment and is designed to understand the damage that can be achieved from this position.

Grey Box Testing Approach

This is typically our preferred approach to testing, as we believe it provides the best value in terms of results for our clients. It is a hybrid approach, combining both white box and black box testing elements, and provides a security overview of the target environment from both the outside and the inside. 

Not sure what approach is best for you?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

Our PCI DSS penetration test process

Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with your PCI DSS requirements. Below we outline the key stages our testing goes through:   

1. Scoping

We will work with you to fully understand your organisation, the CDE under review and any associated systems. We also review any relevant documentation, previous test findings and confirm the type of testing to be performed.

2. Proposal

A bespoke proposal of work will be drawn up based on the information gathered from the previous stage. This will outline the planned scope of work, the set rules of engagement and any preparations needed to allow us to start testing.

3. Testing

Testing will begin on the agreed date and our consultants will communicate with you throughout the engagement, letting you know immediately of any high-risk findings or if cardholder data is accessed during testing.

4. Reporting

A comprehensive, quality assured report will be delivered following the test. Our report will provide both a technical and managerial overview of testing, a comprehensive analysis of the vulnerabilities found and our detailed remediation advice.

5. Post-test support

Our job doesn’t finish on delivery of a report and our consultants will be available after the test to support your remediation efforts. Once remediation efforts have been completed, we will conduct a fix-check to ensure vulnerabilities have been successfully mitigated.

6. Evidence of testing

We can provide further evidence of testing, outlining our initial test engagement and reporting upon any retesting phases that were undertaken. These documents are designed to provide the detailed evidence needed to satisfy your compliance requirements.

Why choose Pentest?

Our test process isn’t the only reason clients choose to work with us. Find out more about Pentest, our ethos and the support we offer our clients.

Contact us

Want to find out more about our PCI DSS penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.