PCI Compliance Penetration Testing

SKU: 4573

Format: Compliance Penetration Testing

(0 reviews)

Requirement 11 of the PCI DSS describes the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.

Regular testing is fundamental to ensuring that an organisation is prepared for the full range of attacks that companies have to face.

To purchase one of our penetration testing services, click the links below or call our team today on +44 (0)333 800 7000.

Learn about our penetration testing services >>>

Description

Your challenge

PCI compliance, especially for Reports on Compliance (ROCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans, and frequent penetration tests.

PCI DSS Requirement 11.3 addresses penetration testing, which is different from the external and internal vulnerability assessments required by PCI DSS Requirement 11.2. A vulnerability assessment simply identifies and reports on vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorised access or other malicious activity is possible. Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from both outside the network trying to come in (external testing) and from inside the network.

The goals of penetration testing are:

To determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
To confirm that the controls required by the PCI DSS are in place and effective.

Our service offering

Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.

Merchants/ Service providers	*Quarterly external vulnerability scan (ASV)**	*Quarterly internal vulnerability scan**	Annual** penetration test (Level 2)	Quarterly wireless network analysis	Annual Web application vulnerability scan₁
	Req. 11.2.2	Req. 11.2.1	Req. 11.3	Req. 11.1	Req. 6.6
ROC			⁺⁺
SAQ D for Merchants
SAQ D for Service Providers			⁺⁺
SAQ C			^#
SAQ C-VT			^#
SAQ P2PE-HW
SAQ B
SAQ B-IP			^#
SAQ A-EP			⁺
SAQ A
Purchase the required test

* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
++ For service providers any network segmentation must be tested every six months
₁ Or after any change to the application. Applicable if developing own applications or using a 3rd party non-PCI-certified web application

Further information

Why choose us?

You receive a tailored assessment that applies to your business and relevant threats, not a generic assessment of theoretical risks.
You work with CREST-qualified consultants experienced in infrastructure and application penetration testing.
We combine a number of advanced manual tests with automated vulnerability scans to ensure all critical vulnerabilities are identified.
You receive a clear report that prioritises the risks relevant to your organisation so you can easily remediate any vulnerabilities.

Speak to an expert

Please contact us for further information or to speak to an expert.

Customer Reviews

(0# of Ratings:)

(Only registered customers can rate)