This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Penetration testing services for PCI 3.2 compliance

Requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS) describes the need to regularly carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks. Regular testing is fundamental to ensuring that an organisation is prepared for a range of cyber attacks.


PCI compliance, especially for Reports on Compliance (RoCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans and frequent penetration tests.

Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from both outside the network trying to come in (external testing) and from inside the network (internal testing).


The importance of security testing for the PCI DSS

Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report saw security testing retain its traditional place at the bottom of the list, with only 71.9% of organisations achieving full compliance.

Yet, payment card data is a prized commodity for cyber criminals and is usually the main target for attacks against commercial environments. The 2017 Trustwave Global Security report found that more than half of the incidents investigated targeted payment card data.


How does penetration testing fit into my PCI DSS project?

A penetration test aims to determine whether and how a criminal hacker can gain unauthorised access to assets that affect the fundamental security of your system. It provides real-world security testing of the security controls you believe are in place and functioning effectively. It’s a way to identify vulnerabilities that can be exploited to circumvent or defeat the security features of system components.

The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for the PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (local area network (LAN) attack surfaces).

The PCI DSS specifies that external and internal penetration testing should be performed at least annually and after any significant infrastructure or application upgrade or modification within the target environment. Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your CDE from other networks. Large breaches typically originate with a simple attack into an insecure area of the victim’s network, with a subsequent lateral move directly into the CDE.


Our PCI DSS penetration testing solution

What can you expect from a PCI penetration test?

Our approach

What will my service cover?

Our testing portfolio covers a wide range of applications, networks and devices.

Our CREST-certified testers will test your network infrastructure and information systems to see how far an attacker would be able to progress within your CDE.

Our approach starts with an agreement on the scope of testing. Under the PCI DSS, the scope should include coverage of the entire CDE perimeter as well as critical systems. Depending on your needs, the engagement will include the following testing regimes:

  • External penetration testing
  • Internal penetration testing
  • Validation of any segmentation and scope-reduction controls
  • A review of the CDE to identify information that would be useful to a criminal hacker.
  • A range of manual tests to exploit the CDE and gain user-level or privileged access.
  • A series of automated vulnerability scans.
  • Immediate notification of any critical vulnerabilities to help you take action fast.
  • A detailed technical report that identifies and explains the vulnerabilities (ranked in order of significance).
  • A list of recommended countermeasures to address any identified vulnerabilities.
  • An executive summary that explains what the risks mean in business terms.


Get in contact

We have a team of account managers and security consultants available to discuss your PCI DSS challenges. For more information, please get in contact.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us