Penetration Testing


PCI-DSS Penetration Testing

  • Highly trained and certified penetration testing team
  • Proven penetration testing methodology
  • Includes retest option to validate your fix actions
  • Clear & concise reports with prioritized, actionable items

PCI-DSS Penetration Testing Service

There are three penetration testing types for PCI-DSS.

Black-box assessments do not provide you with any information prior to the start of the tests.

White-box assessments this is where application and network details are provided to the penetration tester.

Grey-box assessments this entails providing partial information pertaining to target systems.

During PCI-DSS testing, grey-box and white-box assessments give organisations a deeper insight about their operations. The information that an organisation will provide during testing goes a long way in streamlining the process thus making it less expensive. It also helps save time.

PCI-DSS Penetration Testing Overview

There are three aspects to any PCI-DSS penetration test:

External Infrastructure Penetration Testing: taking the view of an attacker on the Internet, targeting your business's Internet presence.

Internal Infrastructure Penetration Testing: taking the viewpoint of an attacker who has gained access to your internal corporate network or a malicious low privilege staff member already on your network. This could include a wireless assessment if wireless is used within the business.

Segmentation Testing: performing tests and checks from each adjoining network to the Card Holder Environment to ensure only approved systems are permitted access into the Card Holder Environment.

Establishing the Scope of Your Cardholder Data Environment

The PCI security standard officially defines CDE as "the process, people, and technologies that store, transmit, and process sensitive authentication or cardholder data." Therefore, the first step that you must take during the penetration testing is determining the scope of the entire process for PCI compliance. There are a number of guidelines that you must consider.

Payment processors need to assess aspects regarding access to open networks. This includes regulated access to external IP addresses. You also need to focus on your internal critical systems, more so those that touch on access to information. If your company has segmented its information, it is advisable to tests all systems that are beyond the CDE environment. This helps eliminate cases of cross-contamination.

Testing systems that are outside your CDE environment also ensures that your company's segmentation controls work effectively besides ensuring that information remains separated. Deeming your network or system "out of scope" means you must ensure that its compromise does not have any effect on cardholder data. Therefore, undertaking penetration testing on "out of scope" environments verifies that segmentation controls not only work in policy but also in practice.

What are Critical Systems?

PCI-DSS testing regards systems that are involved in the processing and protection of cardholder information as being "critical." These may include public-facing devices, security systems, and all devices that store, process, or transmit cardholder data. With regard to penetration testing, intrusion detection systems, firewalls, e-commerce redirection servers, and authentication servers are all regarded to be "critical" to your operations. Generally, critical systems include all technology assets that privileged users within your organization use to support and manage CDE.

What is covered

External Infrastructure Penetration Testing

  • Open source data gathering
  • Host discovery
  • Port Scanning
  • Vulnerability Scans with manual confirmation of findings
  • Web Services and application unauthenticated testing
  • Remote management interfaces
  • Database Services
  • Mail Servers
  • VPN Endpoints
  • RPC Endpoint Services
  • Other Exposed Services Assessment


Internal Infrastructure Penetration Testing

  • Host discovery
  • Port Scanning
  • Vulnerability scans with manual confirmation of findings
  • Web Services and application unauthenticated testing
  • Remote management interfaces
  • Database Services
  • Windows Networks, Domains and Forests
  • RPC Endpoint Services
  • Other Exposed Services Assessment
  • Wireless Assessment of one or more offices
  • Use of wireless security measures
  • Intra client wireless protection
  • Corporate separation with wireless networks
  • Guest and corporate wireless network segregation

Penetration Test Report

The Penetration Test Report includes the URLs and IP addresses tested, reconnaissance (discovery) information, vulnerabilities discovered, steps taken during the assessment, exploitable areas, and prioritized recommendations. For any systems we are able to exploit, an Issue Detail section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.


Penetration Test Report Findings Review

We schedule either an in-person or online session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our penetration test report review adds tremendous value because we can clarify findings and remediation steps.


Free Retest

How do you know the steps you took to fix our penetration test report findings actually worked? Validation removes the guesswork. When you're ready, after fixing the issues identified in the penetration test report, we offer a free re-test of those identified vulnerabilities. This is a crucial and often overlooked step in this process. Validating security controls, patches, and other fix actions is extremely important. We have discovered numerous organisations that thought they fixed a finding we identified, only to discover after a retest that the finding was still there.


Certificate of Attestation

The attestation letter serves as record of us performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your organisation, to show proof that a security assessment was performed and to highlight test results.

Frequently Asked Questions

  • Penetration Test or Vulnerability Assessment, I'm confused. What do I need?

    Great question. The vulnerability assessment is akin to looking at a house and writing down the make of the locks, the location of the doors and windows. All the time checking to make sure they are closed and see if they are locked or not. A penetration test will attempt to pick those locks, open the doors, see what is behind them. The good penetration test will also try to build tunnels from the house to their house, create an inventory of all your possessions and many other things besides. We get a lot of questions asked of us regarding Penetration Testing. We have tried to gather as many of the frequently asked questions together here.

  • I have a mate who can test, what makes you better?

    Almost everyone has a friend, peer, colleague who understands a little about security. We test 7 days a week, 365 days a year and each tester spends a third of their time at conferences, on course and doing research to stay at the top of their skill set. It is like comparing a race car engineer (the penetration tester) to a car garage engineer (the IT generalist with some tools) to the home garage hobbyist (the friend). Occasionally, the friend will have excellent levels of skills, but is this the exception, not the norm.

  • What tools do you use for a penetration test?

    Our primary "tool" is the Mk1 Human. In our testers arsenal are over 200 opensource tools bolstered by more than 50 internally developed tools. On an average penetration test, 20% of the testers time will be spend working with tools. These are important for covering a lot of digital ground in a small amount of time.

  • How often should we have a Penetration Test?

    The best practice guideline is at least annually but it really depends on what it is you are testing. If your environment is static and does not change, and you perform monthly vulnerability scans then you are reasonably safe in having a penetration test every three years. If you are including applications within your test scope, that change often, then you should be testing those applications separately after development and before UAT.

  • I want a Penetration Test, how much will it cost?

    In order to determine the cost, we need to have a discussion about the scope. While some firms will give you a quote blind, it is like asking a painter to paint a building in London without knowing which building and what type of paint. There are a lot of variables and these can only be fleshed out via a scoping conversation with one of our test team leaders.

  • How do we know you are any good?

    For the first engagement this is always a worry for clients. We are a CREST member company with a number of OSCP and OSCE qualified staff. Our engineers have a wide variety of experience covering multiple disciplines. Have a look at our testimonials to see what our clients think. But the main thing is we actually care about our clients and their security.

  • When do you issue the certificate?

    We typically issue the certificate after we perform the re-test, if included. This allows you to fix any issues we identify in the initial penetration test.