PCI Penetration Testing is Different

We get it. You need PCI sign-off so you can get back to business. You want it done fast and done right, because you know that just checking the box will not keep you safe from hackers.

A quick Google search reveals so many different vendors. How can you choose? Regardless of using Raxis or not, we'd suggest you select a vendor that has experience with performing PCI penetration tests. From network segmentation to compensating controls, it's important to understand what your PCI auditor is looking for to avoid costly delays and endless re-testing.

Raxis guides you through the process to ensure you achieve your PCI goals, while strengthening your cybersecurity posture.

FACT

Building a solid, secure API isn't easy, and neither is testing it.

RAXIS REMEDY

Raxis can help you make sure that you're not left exposed to cybersecurity threats.

We'll help you figure out which box you need

Black-box

No information is provided by the client: no IP addresses, no applications, or system descriptions. Although it’s the most realistic form of pentesting and used frequently on other tests, the black-box pentest is not very useful for PCI pentesting. That’s because the goal isn’t to simply find and exploit a weak point (as our Raxis Red Team does). Instead, our goal is to gain a holistic understanding of your security so that you can shore up every vulnerability.

White-box

The customer provides full details of the network and applications deemed in scope. Normally this includes IP ranges and application descriptions in order to focus the testing on a particular area. This is common in PCI pentesting and is very helpful in finding security gaps within applications that handle credit card data. The Raxis Pentest Team prefers this style of testing for PCI, as it is often uncovers security risks that were previously unknown to the customer.

Grey-box

The customer provides partial details of the in scope assets. In a grey-box test, typically we are provided an IP range to ensure we are testing the right resources, however nothing else is disclosed. This is also common in PCI pentesting and is helpful in determining security risks on secondary systems that might be located within the PCI in scope network segment.

PCI compliance is a big part of what we do to keep our customers safe

Raxis has been performing PCI penetration testing since 2011, and we know from experience and exhaustive review what you need to stay compliant and secure. There are many lower cost providers out there, but please understand this is not something that you should “check the box” on. A low quality pentest will likely miss critical findings that you could have easily resolved, leaving you exposed to a real hack that leaves your systems offline.

A pentest is not a vulnerability scan, and PCI uses them differently. Passing a penetration test means the tester was unable to exploit any aspects of your PCI inscope systems as required by your category. By contrast, a vulnerability scan validates that your security controls are operating properly, and a scan has a different set of requirements depending on the category assigned to your organization. Further, the skills required for penetration testing vs. vulnerability scanning are not the same. While Raxis can provide scans as needed, our team specializes in penetration testing, and Raxis is ready to provide you with a fully comprehensive penetration test.

What does a PCI Penetration Test need?

  • Penetration Testing performed twice a year, or any time a major change is made to the PCI in-scope environment
  • PCI penetration testing must be performed both externally and internally
  • A clear definition of PCI in-scope and out-of-scope assets
  • Application level penetration testing from the perspective of defined roles to ensure protections from privilege escalation
  • Penetration testing must be performed by an engineer, automated penetration testing is not acceptable
  • Segmentation testing to prove separation between PCI in-scope and out-of-scope assets
  • A report meeting PCI standards to document findings and recommended remediation efforts
  • Included re-test to validate remediation

Is PTaaS Acceptable for PCI?

If you're using Raxis, absolutely. Our PTaaS offering performs two manual penetration tests per year, which meets PCI requirements. We'll perform segmentation testing, application level testing, and provide a PCI compliant report.

Unlike many others that provide an automated scan, Raxis PTaaS is manual pentesting using a web portal for communication, report delivery, and asset tracking.

AJC Newspaper Article Featuring Raxis
Photo by: Raxis, LLC
Sharpe, Joshua. "Pay them to hack you." The Atlanta Journal-Constitution, 17 January 2021, p. D1.

PCI-DSS v3.2.1 Pentesting

Electronic payments continue to be a primary target for hackers across the globe. We see this firsthand as revealed from systems at our customer sites. To combat this, the Payment Card Industry Security Standards Council has established Data Security Standards (PCI-DSS) that require periodic penetration testing of all inscope assets as covered in PCI-DSS Requirement 11.3. This isn’t the same as a vulnerability scan that you may be required to also perform. PCI penetration testing is usually restricted to the PCI inscope network segment and closely examines systems that could potentially access or alter credit card data.

Pentesting standards in use or in transition until March 31, 2024

11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.3.3 Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.

11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.

PCI-DSS v4 Pentesting

Raxis provides top tier PCI pentest services designed to meet the PCI-DSS standards while working within aggressive business timelines. Though we are faster than our competition, we don’t cut corners. Instead, we’ve stTeamlined our sales process, implemented faster scheduling, and developed a tried-and-true process for quality reviews. In addition, we include remediation testing with our PCI pentest package, which means we also provide the report you need to submit to your QSA.

Pentesting standards in use as of March 31, 2022

11.4.1 Define company standards for internal and external penetration testing and review findings every 12 months.

11.4.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.4.3 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.4.4 Correct any findings from penetration testing activities as recommended and repeat penetration testing.

11.4.5 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.

11.4.6 For service providers, if segmentation is used to isolate the CDE from other networks, perform penetration tests at least every six months and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.

tl;dr

PCI Penetration Test Specifications

  • Powered by Raxis One, a secure web interface for all Raxis services
  • Meets or exceeds PCI Penetration Testing requirements
  • Raxis utilizes the same tools and techniques as a blackhat hacker, customized for API attacks
  • Predictable timeline for the assessment
  • Exploitation, pivoting to other in-scope systems, and data exfiltration in scope
  • Fully PCI compliant report
  • Included re-test to validate remediation
  • All Raxis tests are based on the MITRE ATT&CK penetration testing framework
  • Meets or exceeds requirements for NIST 800-53, NIST 800-171/CMMC, PCI, HIPAA, GLBA, ISO 27001, and SOX compliance
  • Available as a one-time service, multi-year agreement, or continuous monitoring/Penetration Testing as a Service
  • Self-managed testing via the Raxis One portal
Contact Us
©2023 Raxis LLC - All rights reserved.