PCI Penetration Testing
We get it. You need PCI sign-off so you can get back to business. You want it done fast and done right, because you know that just checking the box will not keep you safe from hackers.
That’s where we come in.
For your sake, don't just check the box.
While there may be lower cost options to get the checkbox completed, a mistake here can prove to be very costly. You can't patch what you don't know is broken.
Photo by: Raxis, LLC
Sharpe, Joshua. "Pay them to hack you." The Atlanta Journal-Constitution, 17 January 2021, p. D1.
Sharpe, Joshua. "Pay them to hack you." The Atlanta Journal-Constitution, 17 January 2021, p. D1.
How Can Raxis Help with PCI Compliance?
Raxis has been performing PCI penetration testing since 2011, and we know from experience and exhaustive review what you need to stay compliant and secure. There are many lower cost providers out there, but please understand this is not something that you should “check the box” on. A low quality pentest will likely miss critical findings that you could have easily resolved, leaving you exposed to a real hack that leaves your systems offline.
A pentest is not a vulnerability scan, and PCI uses them differently. Passing a penetration test means the tester was unable to exploit any aspects of your PCI inscope systems as required by your category. By contrast, a vulnerability scan validates that your security controls are operating properly, and a scan has a different set of requirements depending on the category assigned to your organization. Further, the skills required for penetration testing vs. vulnerability scanning are not the same. While Raxis can provide scans as needed, our team specializes in penetration testing, and Raxis is ready to provide you with a fully comprehensive penetration test.
Contact UsWhat Type of PCI Pentest do I need?
White-box
The customer provides full details of the network and applications deemed in scope. Normally this includes IP ranges and application descriptions in order to focus the testing on a particular area. This is common in PCI pentesting and is very helpful in finding security gaps within applications that handle credit card data. The Raxis Pentest Team prefers this style of testing for PCI, as it is often uncovers security risks that were previously unknown to the customer.
Grey-box
The customer provides partial details of the in scope assets. In a grey-box test, typically we are provided an IP range to ensure we are testing the right resources, however nothing else is disclosed. This is also common in PCI pentesting and is helpful in determining security risks on secondary systems that might be located within the PCI in scope network segment.
PCI-DSS v3.2.1 Pentesting
Electronic payments continue to be a primary target for hackers across the globe. We see this firsthand as revealed from systems at our customer sites. To combat this, the Payment Card Industry Security Standards Council has established Data Security Standards (PCI-DSS) that require periodic penetration testing of all inscope assets as covered in PCI-DSS Requirement 11.3. This isn’t the same as a vulnerability scan that you may be required to also perform. PCI penetration testing is usually restricted to the PCI inscope network segment and closely examines systems that could potentially access or alter credit card data.
Pentesting standards in use or in transition until March 31, 2024
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
PCI-DSS v4 Pentesting
Raxis provides top tier PCI pentest services designed to meet the PCI-DSS standards while working within aggressive business timelines. Though we are faster than our competition, we don’t cut corners. Instead, we’ve stTeamlined our sales process, implemented faster scheduling, and developed a tried-and-true process for quality reviews. In addition, we include remediation testing with our PCI pentest package, which means we also provide the report you need to submit to your QSA.
Pentesting standards in use as of March 31, 2022
11.4.1 Define company standards for internal and external penetration testing and review findings every 12 months.
11.4.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.3 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.4 Correct any findings from penetration testing activities as recommended and repeat penetration testing.
11.4.5 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
11.4.6 For service providers, if segmentation is used to isolate the CDE from other networks, perform penetration tests at least every six months and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
