Overview: PCI Penetration Testing
Raxis performs manual pentesting to meet PCI-DSS requirements and will work closely with your Qualified Security Assessor (QSA) to ensure that the compliance standards are met for your in scope systems. We're different from many pentesting companies because we work as extension of your team. Our goal is to help you improve security for your cardholder data while also satisfying the PCI requirement, so the more detail you can provide your pentester about your application and systems, the better it is for everyone.
Why Choose Raxis?
Raxis PCI customers include brick and mortar retailers, large media providers, and online shopping websites. Our team has an extensive background with retail and have performed numerous PCI penetration tests. In addition, most of our team have worked in information security supporting retail at some point in their career. We've seen many times where PCI pentests have been over-scoped beyond what is necessary, generating higher costs and a significant remediation effort for all involved. Raxis will work closely with your team to ensure that only the appropriate PCI scoped systems are tested and properly fixed to ensure that all compliance regulations are met, conserving significant time and cost.
Understanding the PCI Pentest
Compliance Requirements
The Payment Card Industry (PCI) requires that pentesting be completed for compliance as of July 2015 as part of PCI-DSS Requirement 11.3. This is different from a vulnerability scan in the sense that a pentest will attempt to breach the security vulnerabilities that are discovered. This ensures that any findings are not false-positives as each will be supported by screenshots and data exfiltration evidence. In addition, PCI-DSS 11.3.4 requires that segmentation checks be performed to confirm that any segmentation used remains effective and valid. Segmentation checks may not be performed by management of the Cardholder Data Environment (CDE) and should be performed by a third party.
Scope
Based upon specifications prescribed by PCI DSS 11.3, our pentester will perform a comprehensive penetration test of the Cardholder Data Environment (CDE) perimeter and any systems that could impact the security of the CDE. This includes any system that processes, stores, or transmits credit card information. Often this is referred to as the PCI segment, and it usually is completely separated from other out-of-scope systems that do not handle cardholder data. As part of the PCI pentest, Raxis will test segmentation of the PCI segment and ensure that out-of-scope systems remain completely separate from the CDE. We'll work closely with your team to determine the appropriate scope of the environment to ensure that time and cost is appropriate for the PCI pentest.
PCI Penetration Testing Features
- Reviewing the business process used by applications to ensure security and confidentiality of PCI in scope assets
- Exploiting vulnerabilities in PCI systems to gain further system access or cardholder data
- Experienced in pentesting against cloud environments such as Amazon Web Services (AWS) and Azure
- Brute forcing of available login forms such as webpages and other remote services
- Testing malicious injections and session mismanagement on available websites
- Working closely with your remediation team to ensure findings are addressed for compliance documentation
- Documenting successful and failed attempts to access customer records for compliance use
- And, if obtained, cracking of password hashes to be leveraged for additional access
Download our Penetration Testing Service Brief (PDF) for more information.
Transporter Remote Access
Raxis Transporter provides an easy to deploy "virtual wire" network connection to our manual penetration testers, vulnerability assessors, and R3 incident response team.
On-Site Penetration Testing
Sometimes it's necessary to be on-site to get access to internal networks or examine a breach first hand. No problem, our consultants will fly to you.
A Smarter Way to Stay Secure
Learn how hacking can help find and fix security gaps you never knew about.
