PCI-DSS Penetration Testing

  • Highly trained and certified penetration testing team

  • Proven penetration testing methodology

  • Includes retest option to validate your fix actions

  • Clear & concise reports with prioritized, actionable items

There are three penetration testing types for PCI-DSS.

Black-box assessments do not provide you with any information prior to the start of the tests.

White-box assessments this is where application and network details are provided to the penetration tester.

Grey-box assessments this entails providing partial information pertaining to target systems.

During PCI-DSS testing, grey-box and white-box assessments give organisations a deeper insight about their operations. The information that an organisation will provide during testing goes a long way in streamlining the process thus making it less expensive. It also helps save time.

PCI-DSS Penetration Testing Overview

There are three aspects to any PCI-DSS penetration test:

External Infrastructure Penetration Testing: taking the view of an attacker on the Internet, targeting your business's Internet presence.

Internal Infrastructure Penetration Testing: taking the viewpoint of an attacker who has gained access to your internal corporate network or a malicious low privilege staff member already on your network. This could include a wireless assessment if wireless is used within the business.

Segmentation Testing: performing tests and checks from each adjoining network to the Card Holder Environment to ensure only approved systems are permitted access into the Card Holder Environment.

Establishing the Scope of Your Cardholder Data Environment

The PCI security standard officially defines CDE as "the process, people, and technologies that store, transmit, and process sensitive authentication or cardholder data." Therefore, the first step that you must take during the penetration testing is determining the scope of the entire process for PCI compliance. There are a number of guidelines that you must consider.

Payment processors need to assess aspects regarding access to open networks. This includes regulated access to external IP addresses. You also need to focus on your internal critical systems, more so those that touch on access to information. If your company has segmented its information, it is advisable to tests all systems that are beyond the CDE environment. This helps eliminate cases of cross-contamination.

Testing systems that are outside your CDE environment also ensures that your company's segmentation controls work effectively besides ensuring that information remains separated. Deeming your network or system "out of scope" means you must ensure that its compromise does not have any effect on cardholder data. Therefore, undertaking penetration testing on "out of scope" environments verifies that segmentation controls not only work in policy but also in practice.

What are Critical Systems?

PCI-DSS testing regards systems that are involved in the processing and protection of cardholder information as being "critical." These may include public-facing devices, security systems, and all devices that store, process, or transmit cardholder data. With regard to penetration testing, intrusion detection systems, firewalls, e-commerce redirection servers, and authentication servers are all regarded to be "critical" to your operations. Generally, critical systems include all technology assets that privileged users within your organization use to support and manage CDE.

What is Typically Covered?

Internal Infrastructure Penetration Testing

  • Host discovery

  • Port Scanning

  • Vulnerability scans with manual confirmation of findings

  • Web Services and application unauthenticated testing

  • Remote management interfaces

  • Database Services

  • Windows Networks, Domains and Forests

  • RPC Endpoint Services

  • Other Exposed Services Assessment

  • Wireless Assessment of one or more offices

  • Use of wireless security measures

  • Intra client wireless protection

  • Corporate separation with wireless networks

  • Guest and corporate wireless network segregation

External Infrastructure Penetration Testing

  • Open source data gathering

  • Host discovery

  • Port Scanning

  • Vulnerability Scans with manual confirmation of findings

  • Web Services and application unauthenticated testing

  • Remote management interfaces

  • Database Services

  • Mail Servers

  • VPN Endpoints

  • RPC Endpoint Services

  • Other Exposed Services Assessment

Purchase Online

PCI-DSS Penetration Testing
from 3,200.00

Identify your businesses critical vulnerabilities within your Card Holder Environment and the adjacent networks before cyber criminals do. Our PCI-DSS penetration test provides a complete solution for meeting Req 11.3 of the PCI-DSS and effectively testing your IT network infrastructure and making sure your organisation is genuinely secure against cyber threats and meets the letter of the PCI-DSS.

Pricing is by the number of IP addresses within the Card Holder Environment.

Number of IP Addresses:
Add To Cart

Contact Us

Name *