PCI Penetration Test

Working towards PCI DSS Compliance? Let us assist with the penetration testing.


Service

If you are handling credit card information, you are likely required to be compliant with the requirements set forth by the Payment Card Industry (PCI). To be compliant, you need to be certified, and as part of the certification process a scoped penetration test of systems related to the Cardholder Data Environment (CDE) is required. We can deliver this independent penetration test.

We provide an independent penetration test of the CDE and related systems which are in a scope defined or accepted by the PCI Assessor.


Value

  • Independent penetration test of the CDE.

  • The penetration test can be used by the PCI Assessor to verify technical PCI compliance.

Deliverables

  • A report which follows the requirements from PCI and can be used by the PCI Assessor to verify if the security level of the CDE is sufficient.

  • Debriefing session with you or the PCI Assessor if needed.


 

Methodology

Our penetration testing methodology is based on and follows the Penetration Testing Guidance and Guidance for PCI DSS Scoping and Network Segmentation supplement documents from PCI Security Standards Council. It is enhanced with our specialized knowledge of hacking and techniques to compromise systems and networks, along with OWASP and NIST’s guidelines on information Security Testing and Assessment. Finally, it will be adjusted based on the specific requirements from the PCI Assessor.

Overall, the scope will cover internal, external, application-layer and network-layer penetration tests of the CDE and connected systems. Below are examples of areas that usually within scope, but ultimately the PCI Assessor defines this scope.

  • Network segmentation and segregation of the CDE (Cardholder Data Environment).

  • Exposed ports and services on systems outside the CDE that has access to the CDE.

  • Use of protective mechanism to ensure the confidentiality of CHD and SAD from external systems to CDE, such as masking the credit card information or use of encryption.

  • Review of encryption/decryption scheme and key storage along with access to those keys.

  • Penetration test of systems in the CDE to identify vulnerabilities accessible externally and internally to the CDE on both application and network layer, including any remote access connections.

  • Testing of CDE applications will be performed against any role or access type that does not have explicit authorization to cardholder data to verify accounts without access cannot compromise such data.

  • Attempts at breaking out of the software interface at a Point-of-Interaction (POI) and obtain access to the underlying operating system.

 

 

Involvement

The delivery requires minimal involvement of your technical staff and will primarily consist of a kick-off meeting when starting the project, and occasional questions.

 


 

See our other services