PCI-DSS Penetration Testing

We believe that we exist to secure the connected and grant the opportunity of a better online life. Penetration testing helps you achieve that.

We demonstrate this in the way we conduct our Penetration Testing. Just running a bunch of scripts from a Kali installed laptop is not pentesting. We use experience, skill, research and human intuition to provide the best penetration testing on the market.

Penetration Testing

What is PCI-DSS Penetration Testing?

A penetration test is a type of cyber security assessment designed to identify, exploit and help address vulnerabilities.

PCI-DSS penetration testing is designed to include assessment of network infrastructure and applications from both outside and inside an organisation’s network environment. The PCI-DSS (Payment Card Industry Data Security Standard) Requirements 6.6, 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes – for example, infrastructure or application upgrades or modifications, or after installing new system components.

Conducting penetration tests helps provide a crucial end-of-state check and can be used in the early stages of developing new processing systems to identify potential risks to cardholder data.

Performing penetration testing on your security systems, public-facing devices and systems, databases and other systems that store, process or transmit cardholder data means that you are attempting to discover your vulnerabilities before cyber criminals do.

The goals of penetration testing are to:

  • Determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data; and
  • Confirm that the controls required by the PCI DSS are in place and effective.


Penetration testing is essentially a controlled, ethical form of hacking that involves assessing your chosen systems for any potential weaknesses. These weaknesses could result from inadequate or improper system configuration, known or unknown hardware or software flaws, and operational weaknesses in process-based or technical countermeasures.

What Scope is Required?

PCI-DSS penetration testing must be performed on an organisation’s complete cardholder data environment (CDE) and includes any systems which may impact the security of the CDE.

PCI-DSS penetration testing will help to identify:

How we work

Our CREST-accredited penetration testers follow an established methodology based primarily upon the OSSTMM (Open Source Security Testing Methodology Manual) and OWASP (Open Web Application Security Project) Top 10 Application Security Risks. This approach will emulate the techniques of an attacker using many of the same readily available tools.

  1. Scoping: Before testing, our account management team will discuss your PCI compliance assessment requirements for your internal network to define the scope of the test.
  2. Reconnaissance: The tester will enumerate your network assets within the defined scope of the CDE (the technology that can “store, process, or transmit cardholder data or sensitive authentication data”, and any technology that can affect its security).
  3. Assessment: Using the information identified in the initial phase, we test the network and applications for potential vulnerabilities. 
  4. Reporting: The test results will be fully analysed by a Hedgehog certified tester and a full report will be prepared that describes the approach and findings, and that shows a logical flow through the penetration test steps to provide evidence to your appointed QSA and/or stakeholders.
  5. Re-test: We can provide access to our testers and the raw test data to support and expedite remediation. We can also retest your systems so that you can be sure all identified issues have been successfully resolved.