PCI DSS Penetration Testing
Utilise our PCI DSS penetration testing services that offer great value, technical expertise and remediation plan. No-fuss around scheduling, retests, report delays – guaranteed!
PCI DSS Compliance
Wikipedia defines PCI DSS as ‘The Payment Card Industry Data Security Standard ‘ is an information security standard for organizations that handle branded credit cards from the major card schemes.
Regular PCI DSS compliance testing is required as key controls to protect CDE systems and data. PCI DSS compliance state the pen testing requirements:
- PCI Requirement 6.6 states protecting internet-facing applications from new threats and vulnerabilities on an ongoing basis.
- PCI Requirement 11 outlines ‘regularly test security systems and processes’.
What is PCI penetration testing?
PCI penetration testing is performed to identify security vulnerabilities in line with PCI DSS requirements. It is targeted on the internal systems that store, process or transmit card data, public-facing devices and systems and databases. PCI network segmentation testing validates the segmentation controls to prevent unauthorised access to CDE. External PCI pen tests are performed on the internet facing systems. This is not a vulnerability scan that involves running vulnerability scanners and analysing issues for false positive removals. Comparaitvely, penetration tests are resource intensive, in-depth and provide an effective input to your risk management process.
This is a controlled form of an ethical hacking exercise with the following objectives:
- Assess the access security and segmentation controls in line with PCI compliance requirements
- Determine whether a threat actor could gain unauthorised access to CDE systems that store, process or transmit payment data
No retest and cancellation faff
PCI DSS penetration testing requirements
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
3: Protect stored card data
4: Encrypt transmission of card data across open, public networks
5: Protect all systems against malware and regularly update anti-virus software or programs
6: Develop and maintain secure systems and applications
7: Restrict access to card data by business need to know
8: Identify and authenticate access to system components
9: Restrict physical access to cardholder data
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
12: Maintain a policy that addresses information security for all personnel
Types of PCI DSS pentest services
Based on the scope of assets within CDE, any of the following types of services can be aligned to PCI requirements. This is performed by experienced and qualified penetration testers. External penetration testing and tailored infrastructure or application security testing services are offered to service providers, merchants, online retailers and any systems that may impact the security of the CDE.
PCI Internal Penetration Testing
PCI internal pentest covers a broad scope – from simple one server review to multi-network estate wide active directory reviews including segmentation controls checks.
PCI Application Security Testing
Our team of Cybersecurity experts will test and perform PCI security assessments against apps and web services/APIs in the scope .
Cloud Penetration Testing
Most organizations are migrating to cloud due to ease of use and 24 x 7 availability. As an end user of cloud hosted solution, it is your responsibility to ensure that the security of any operating systems and applications hosted in the cloud are continuously maintained and tested.
Vulnerability assessments provide insight into vulnerabilities affecting your internal and external networks.
It helps to identify and quantify the potential risks threatening your environment while minimising internal costs.
Mobile Pen Testing
Ensuring the safety and security of user data is paramount to running any mobile applications.
Our tailored services are designed to identify potential threats and vulnerabilities before it’s too late to limit the damage.
PCI Network Segmentation Testing
PCI Network segmentation testing checks whether segmentation controls are working as intended. Fundamental concepts behind segmentation penetration test include switch based VLAN security controls, internal firewalling and related layer 2 & layer 3 access controls.