We get it. You need PCI sign-off so you can get back to business. You want it done fast and done right, because you know that just checking the box will not keep you safe from hackers.
A quick Google search reveals so many different vendors. How can you choose? Regardless of using Raxis or not, we'd suggest you select a vendor that has experience with performing PCI penetration tests. From network segmentation to compensating controls, it's important to understand what your PCI auditor is looking for to avoid costly delays and endless re-testing.
Raxis guides you through the process to ensure you achieve your PCI goals, while strengthening your cybersecurity posture.
Building a solid, secure API isn't easy, and neither is testing it.
Raxis can help you make sure that you're not left exposed to cybersecurity threats.
No information is provided by the client: no IP addresses, no applications, or system descriptions. Although it’s the most realistic form of pentesting and used frequently on other tests, the black-box pentest is not very useful for PCI pentesting. That’s because the goal isn’t to simply find and exploit a weak point (as our Raxis Red Team does). Instead, our goal is to gain a holistic understanding of your security so that you can shore up every vulnerability.
The customer provides full details of the network and applications deemed in scope. Normally this includes IP ranges and application descriptions in order to focus the testing on a particular area. This is common in PCI pentesting and is very helpful in finding security gaps within applications that handle credit card data. The Raxis Pentest Team prefers this style of testing for PCI, as it is often uncovers security risks that were previously unknown to the customer.
The customer provides partial details of the in scope assets. In a grey-box test, typically we are provided an IP range to ensure we are testing the right resources, however nothing else is disclosed. This is also common in PCI pentesting and is helpful in determining security risks on secondary systems that might be located within the PCI in scope network segment.
Raxis has been performing PCI penetration testing since 2011, and we know from experience and exhaustive review what you need to stay compliant and secure. There are many lower cost providers out there, but please understand this is not something that you should “check the box” on. A low quality pentest will likely miss critical findings that you could have easily resolved, leaving you exposed to a real hack that leaves your systems offline.
A pentest is not a vulnerability scan, and PCI uses them differently. Passing a penetration test means the tester was unable to exploit any aspects of your PCI inscope systems as required by your category. By contrast, a vulnerability scan validates that your security controls are operating properly, and a scan has a different set of requirements depending on the category assigned to your organization. Further, the skills required for penetration testing vs. vulnerability scanning are not the same. While Raxis can provide scans as needed, our team specializes in penetration testing, and Raxis is ready to provide you with a fully comprehensive penetration test.
If you're using Raxis, absolutely. Our PTaaS offering performs two manual penetration tests per year, which meets PCI requirements. We'll perform segmentation testing, application level testing, and provide a PCI compliant report.
Unlike many others that provide an automated scan, Raxis PTaaS is manual pentesting using a web portal for communication, report delivery, and asset tracking.
Electronic payments continue to be a primary target for hackers across the globe. We see this firsthand as revealed from systems at our customer sites. To combat this, the Payment Card Industry Security Standards Council has established Data Security Standards (PCI-DSS) that require periodic penetration testing of all inscope assets as covered in PCI-DSS Requirement 11.3. This isn’t the same as a vulnerability scan that you may be required to also perform. PCI penetration testing is usually restricted to the PCI inscope network segment and closely examines systems that could potentially access or alter credit card data.
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
Raxis provides top tier PCI pentest services designed to meet the PCI-DSS standards while working within aggressive business timelines. Though we are faster than our competition, we don’t cut corners. Instead, we’ve stTeamlined our sales process, implemented faster scheduling, and developed a tried-and-true process for quality reviews. In addition, we include remediation testing with our PCI pentest package, which means we also provide the report you need to submit to your QSA.
11.4.1 Define company standards for internal and external penetration testing and review findings every 12 months.
11.4.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.3 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.4 Correct any findings from penetration testing activities as recommended and repeat penetration testing.
11.4.5 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
11.4.6 For service providers, if segmentation is used to isolate the CDE from other networks, perform penetration tests at least every six months and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.