Retail & PCI
Our Pentesting Methodology is Designed for PCI
Raxis performs manual pentesting to meet PCI-DSS requirements and will work closely with your Qualified Security Assessor (QSA) to ensure that the compliance standards are met for your in scope systems. We're different from many pentesting companies because we work as an extension of your team. Our goal is to help you improve security for your cardholder data while also satisfying the PCI requirement, so the more detail you can provide your pentester about your application and systems, the better it is for everyone.
Raxis PCI customers include brick and mortar retailers, large media providers, and online shopping websites. Our team has an extensive background with retail and have performed numerous PCI penetration tests. In addition, most of our team have worked in information security supporting retail at some point in their career. We've seen many times where PCI pentests have been over-scoped beyond what is necessary, generating higher costs and a significant remediation effort for all involved. Raxis will work closely with your team to ensure that only the appropriate PCI scoped systems are tested and properly fixed to ensure that all compliance regulations are met, conserving significant time and cost.
Contact us and we'll be glad to help customize a quote to meet your needs.
Get a Quote
Raxis is trusted by the world's most respected organizations.
PCI Compliance Requirements
The Payment Card Industry (PCI) requires that pentesting be completed for compliance as of July 2015 as part of PCI-DSS Requirement 11.3. This is different from a vulnerability scan in the sense that a pentest will attempt to breach the security vulnerabilities that are discovered. This ensures that any findings are not false-positives as each will be supported by screenshots and data exfiltration evidence. In addition, PCI-DSS 11.3.4 requires that segmentation checks be performed to confirm that any segmentation used remains effective and valid. Segmentation checks may not be performed by management of the Cardholder Data Environment (CDE) and should be performed by a third party.
PCI Pentest Scope
Based upon specifications prescribed by PCI DSS 11.3, our pentester will perform a comprehensive penetration test of the Cardholder Data Environment (CDE) perimeter and any systems that could impact the security of the CDE. This includes any system that processes, stores, or transmits credit card information. Often this is referred to as the PCI segment, and it usually is completely separated from other out-of-scope systems that do not handle cardholder data. As part of the PCI pentest, Raxis will test segmentation of the PCI segment and ensure that out-of-scope systems remain completely separate from the CDE. We'll work closely with your team to determine the appropriate scope of the environment to ensure that time and cost is appropriate for the PCI pentest.
A simulated attack on your Cardholder Data Environment designed to find security vulnerabilities you didn't know existed.
Test the human element and discover weaknesses in your visitor and vendor processes that you never knew you had.