PCI DSS Penetration Testing

Helping you achieve & maintain PCI DSS compliance

Our PCI DSS testing service

The security of cardholder data is vital and if you are an organisation that processes credit card payments, you must comply with the Payment Card Industry Security Standard (PCI DSS). Penetration testing forms a key component of the PCI DSS requirements and where applicable, organisations should be testing their entire Card Data Environment (CDE), the systems that may impact the security of the CDE and any environment in scope on an annual basis, or when significant changes have been made.  

The scope and level of testing required will be determined by your PCI Qualified Security Assessor (QSA) and can include your internal and external infrastructure, applications and segmentation controls. 

The PCI DSS requirements for penetration testing include: 

  • Requirement 11.3.1 – Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment)  
  • Requirement 11.3.2 – Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment) 
  • Requirement 11.3.4 – If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE  

Our PCI DSS penetration testing has been designed to help you meet these requirements, whether you’re a small merchant (Level 4) or process millions of transactions per year (Level 1 & 2). But more than that, our service is here to support your security improvement, your remediation efforts and provide you with the assurance that your information security is as robust as possible. 

Pentest Ltd is not an accrediting body for PCI, this role is performed by a Qualified Security Assessor. However, we work closely with your QSA to confirm the scope of testing and the Cardholder Data Environment under review. The QSA will then use the Pentest report as part of the PCI DSS accreditation process and assist with the Report on Compliance (ROC). 

If you do not currently have a QSA our sister company, Xcina Consulting, can provide a full range of PCI DSS services as an accredited PCI QSA firm, such as gap analysis, Attestations on Compliance (AOC) and full Report on Compliance (ROC). 

What we test

Our PCI DSS penetration testing service is designed to simulate a real-world attack and will be tailored to your exact needs. While some automated tools may be used, our testers manually, as required by the PCI DSS, investigate the target systems in scope, using their knowledge and expertise to uncover weaknesses which may be linked together in order to further exploit the environment and demonstrate how far they could potentially get within it. This depth of testing is not possible using automated scanners alone. 

The full scope of our testing will be decided by your PCI QSA, but can often include: 

Application Testing (Web & Mobile)

Our application testing service is aligned with industry standards such as OWASP & will look to uncover as many security vulnerabilities as possible within a target application, in the given timeframe. The issues we look for will include: injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as testing against OWASP Top 10 vulnerabilities. 

Network Infrastructure Testing

IT network infrastructure is vital to the day-to-day operation of modern business and forms a key component of your CDE. Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Segmentation Testing

Segmentation testing is designed to ensure your Card Data Environment is fully isolated from ‘out of scope’ systems and that effective measures and controls are in place to restrict access to your CDE. Our testing will utilise tools such as host discovery and port scanning to uncover any potential access points, verifying that isolated LANs do not have access. We will also review firewall configurations to ensure only authorised access is permitted to your critical environments.  

Wireless Network Testing

Wireless networks can provide malicious threats with a route into your environment, it is therefore important to gain assurances that your security is as effective as possible. Our wireless network testing service will be carried out onsite and is designed to uncover & evaluate potential rogue access points, insecure router configurations, Wi-Fi Protected Setup (WPS) weaknesses, unsecure wireless encryption & segregation, as well as susceptibility to attacks such as Evil Twin attacks. 

Social Engineering

Employees are often targeted by malicious threats, looking to deceive or coerce them into clicking on links, handing over sensitive information or performing actions that may compromise the security of your environment. Using social engineering attacks techniques is not a requirement for PCI DSS compliance, however, where required, we can simulate social engineering approaches, tailoring our approach to your organisation and the maturity of your security awareness program. 

How can you approach PCI DSS penetration testing?

PCI DSS testing can follow one of three approaches and we will work with you to determine the approach that will provide your organisation with the best possible results. 

Black Box Approach

Black box testing mimics a real-life attack scenario, where we have basic knowledge of the application, but have no access to the source code or any admin/user credentials. 

Black box assessments are typically used by clients who wish to find out if a malicious threat could gain access to an web application from the outside.

White Box Approach

White box testing provides our consultants with a level of access prior to the test, whether it’s access to source code or user credentials. 

This type of testing assumes that an attacker already has some level of access within the application and is designed to understand the potential damage that can be achieved.

Grey Box Approach

This is our preferred approach to web application penetration testing, as we believe it provides the best value test in terms of results. 

It is a hybrid approach (combining both white box and black box testing elements) and provides a security overview of the application from both the outside and the inside.

Not sure what type of testing you need?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

Our approach

The security confidence we provide doesn’t come from a one size fits all solution.

Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with your PCI DSS requirements. Below we outline the key stages our testing goes through:   

1. Client Focused Scoping

We work closely with you to fully understand the CDE under review and any associated systems. We also review any relevant documentation & previous test findings.

2. Expert Manual Testing

Our manual testing is designed to challenge your security. That's why we only hire the very best information security consultants & all consultants are directly employed by us.

3. Tailored Reporting

Reporting isn't just a piece of paper, it's an ongoing process. We tailor our reporting to you, whether you need in-test notifications, ticket integration or a bespoke test report.

4. Post-Test Support

Our job doesn't finish on the delivery of a report. We make our consultants available after your test to provide clarification on findings & pass on their wealth of expertise.

5. Fix Check & Documentation

A fix check can be employed to ensure issues found have been successfully remediated & additional documentation can be supplied for assurance purposes

6. Ongoing Partnership

We see ourselves as trusted advisors and welcome clients contacting us outside of testing, providing honest advice on security issues wherever we can.

Like the sound of our approach?

You can find out more about our test process and why it sets us apart.

Contact us

Want to find out more about our PCI DSS penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.