If you are new to PCI, then check out our PCI DSS information page here.
PCI DSS Penetration Testing Information
Many organisations do not realise that PCI DSS Requirements 6.6 and 11.3 call for penetration testing -
over and above the external and internal vulnerability assessments required by PCI DSS Requirement 11.2.
The table below shows what PCI DSS Requirements 6.6 and 11.3 specify as to what needs testing and when.
Our existing penetration testing services map on to your PCI DSS requirements exactly, so each test type in the table
below links to the relevant testing page on our website.
Our web application tests comply with PCI DSS Requirement 6.6 "Reviewing public-facing
web applications via manual or automated application vulnerability security assessment tools or methods, at least
annually and after any changes".
Our external and internal penetration tests comply with PCI DSS Requirement 11.3 "Penetration
testing should include network and application layer testing as well as controls and processes around the networks
and applications, and should occur from both outside the network trying to come in (external testing) and from inside
Our primary deliverable is a report - tailored to your requirements, it will inform you of the vulnerabilities
and the solutions, so you can address these before insiders or hackers do.
We also undertake:
- PCI DSS Consultancy: We have now undertaken PCI consultancy work for many clients and for a variety of
reasons. Some, because clients are uncertain about the requirements and the scope of work they need to do in order to obtain or
maintain compliance with PCI DSS. Others, because clients are unsure how to implement the technologies required by the standard,
such as encryption key management. Our in-depth knowledge of the standard itself, and of the various technologies, can also help to
reduce the headaches that can be caused by the PCI DSS compliance process. Another aspect of the PCI consultancy services we offer is outlined below...
- Analysis of Reports & False Positives: We are often approached by clients who simply do not understand the varied reports that
are produced by PCI scanning vendors and need help interpreting the findings. In addition, we are often called upon to verify results
produced by PCI Scanning Vendors which indicate a client is non-PCI compliant. In some cases we have found that in fact the results that
led to a verdict of non-compliance were false-positives (which we determine by specifically testing the "offending" site or system for that
supposed vulnerability). This can enable the client to go back to their scanning vendor and argue the case for false-positives, which
can result in the scanning vendor properly verifying the results, finding that they agree with us, and changing the PCI scan results to
compliant! So you see, even if you don't use us for testing - and most people end up using us - then we can help!
- PCI ASV Testing: We recommend QualysGuard PCI for ASV Testing. It has the lowest rate of false-positives
we have seen so far and we can put you in touch with our representative at Qualys to ensure you obtain the service you require. Please
click here for more information about