PCI Penetration Testing
Stay safe by going beyond “check box” security
PCI Penetration Testing has specific requirements
We get it. You need PCI sign-off so you can get back to business. You want it done fast and done right, because you know that just checking the box will not keep you safe from hackers.
A quick Google search reveals so many different vendors. How can you choose? Regardless of using Raxis or not, we’d suggest you select a vendor that has experience with performing PCI penetration tests. From network segmentation to compensating controls, it’s important to understand what your PCI auditor is looking for to avoid costly delays and endless re-testing.
PCI compliance is a big part of what we do to keep our customers safe
Raxis has been performing PCI penetration testing since 2011, and we know from experience and exhaustive review what you need to stay compliant and secure. There are many lower cost providers out there, but please understand this is not something that you should “check the box” on. A low quality pentest will likely miss critical findings that you could have easily resolved, leaving you exposed to a real hack that leaves your systems offline.
A pentest is not a vulnerability scan, and PCI uses them differently. Passing a penetration test means the tester was unable to exploit any aspects of your PCI inscope systems as required by your category. By contrast, a vulnerability scan validates that your security controls are operating properly, and a scan has a different set of requirements depending on the category assigned to your organization. Further, the skills required for penetration testing vs. vulnerability scanning are not the same. While Raxis can provide scans as needed, our team specializes in penetration testing, and Raxis is ready to provide you with a fully comprehensive penetration test.
PCI-DSS v4 Penetration Test Requirements
Effective March 31, 2022
11.4.1 Define company standards for internal and external penetration testing and review findings every 12 months.
11.4.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.3 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.4.4 Correct any findings from penetration testing activities as recommended and repeat penetration testing.
11.4.5 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.
11.4.6 For service providers, if segmentation is used to isolate the CDE from other networks, perform penetration tests at least every six months and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective and that they isolate all out of scope systems from systems in the CDE.