PCI-DSS Penetration Testing

PCI-DSS Penetration Testing

Regularly test security systems and processes in line with PCI DSS requirements with PCI-DSS Penetration Testing

PCI-DSS Penetration Testing is a requirement for all merchants who process or take credit/debit card payments. The Payment Card Industries Data Security Standard (PCI-DSS) requires that all merchants you an adequately qualified and assured penetration testing firm. This is met with our CREST compliance status.

Our professional penetration testing engagements, including network penetration testing and web application testing, help organisations achieve PCI DSS pen test standards by identifying weaknesses that could enable card payment details to be compromised by criminal attackers.

PCI-DSS Penetration Testing

A PCI pen test will help to identify:

  • Unsafe system and network configurations
  • Improper access controls
  • Rogue wireless networks
  • Coding vulnerabilities like XSS and SQL injection
  • Broken authentication and session management
  • Encryption flaws

What is PCI DSS penetration testing?

A penetration test is a type of cyber security assessment designed to identify, exploit and help address vulnerabilities.

PCI-DSS penetration testing is designed to include assessment of network infrastructure and applications from both outside and inside an organisation’s network environment and includes Segmentation testing.

PCI DSS (Payment Card Industry Data Security Standard) Requirements 11.4.1 and 11.4.2 state that internal and external penetration testing must be performed at least annually and after any significant changes – for example, infrastructure or application upgrades or modifications, or after installing new system components. Requirement 11.4.5 requires penetration testing of network segmentation controls.

Conducting penetration tests helps provide a crucial end-of-state check and can be used in the early stages of developing new processing systems to identify potential risks to cardholder data.

Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report shows that security testing retains its traditional place at the bottom of the priority list, with only 71.9% of organisations achieving full compliance.

Payment card data is a prized commodity for cyber criminals and is usually the main target in attacks against commercial environments.

Benefits of PCI-DSS compliance penetration testing

Our penetration tests will help you to:

  • Defend the target environment from the perspective of an outsider with access only to untrusted networks;
  • Defend the organisation from an insider with access to trusted networks, but not necessarily from within the cardholder environment itself;
  • Secure the organisation against weaknesses in applications such as SQL injection and cross-site scripting; and
  • Test and prove that any segmentation controls and methods are operational and effective.