Select Page
CHECK penetration testing assurance logo
Cyber Essentials logo
Cyber Essentials logo

If your organisation stores or processes card details, you need to comply with the worldwide Payment Card Industry Data Security Standard (PCI DSS) in order to safeguard information.

Regular security testing is necessary – it’s clearly outlined in ‘Requirement 11: Regularly test security systems and processes’, which states the need to ‘implement a methodology for penetration testing’.

It can also be difficult to get to grips with the detail behind the many requirements of this payment standard. This is where our expert team can help you satisfy regulators.

A female solutions architect looks straight ahead as a reflection of a computer screen demonstrates her consideration of cyber solutions.

Penetration Testing is a requirement

PCI DSS centres around protecting cardholder data, setting out tight controls surrounding the storage, transmission and processing of financial information handled by businesses.

This information is also considered Personally Identifiable Information (PII) and is therefore covered by GDPR, meaning that the fines following a breach are now considerably larger than they previously were.

You must provide evidence of both network and application penetration tests to achieve compliance with this standard. If not, you risk hefty financial penalties.

Annual external and internal network infrastructure tests, as well as application penetration tests must be carried out on all systems, alongside additional tests following any changes.

These tests lay the foundations for maintaining strict security measures and developing a robust strategy to safeguard payment data and become compliant with PCI DSS.

11.3 Implement a Methodology for Penetration Testing

  • Based on industry-accepted pen testing approaches
  • Includes coverage for the CDE perimeter and critical systems
  • Includes testing of internal and external networks and validation of segmentation and scope-reduction controls
  • Defines application-layer penetration tests and network-layer penetration tests including components that support network functions and operating systems
  • Includes a review of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of pen testing results and remediation activities

Factors that Affect the Security of Your Product

  • Pressure on development teams to build better, more feature-rich software to ever-tightening deadlines means that security is often an afterthought.
  • Increased reliance on third-party software components and offshore development houses can increase the attack surface and result in unforeseen back doors in your application.
  • Traditional monolithic applications are being replaced by bespoke or niche high-volume micro development projects which are more difficult to secure, manage and maintain.
  • Agile and rapid development techniques lead to compressed release and test schedules which require innovative solutions to incorporate security testing without introducing unacceptable delays & costs.


How We Work

Robust Security Makes Compliance Simple 

Implementing good security practices can mean that compliance with PCI DSS is a given.

Showing that you have robust security strategies in place, and that they are continuously being tested and maintained, will help you safeguard sensitive payment data and evidence that you are adhering to the requirements of PCI DSS.

Other Services

Colleagues discussing something

Web Application Testing

Mobile Application Testing

Product Assessment

Web application attacks range in size and complexity, from the exploitation of vulnerable open source components, to app-specific attacks which take advantage of user controls. Internal web applications are at risk too, from disgruntled or malicious users who may find loopholes and use their position to wreak havoc. Learn more >
86% of mobile applications have at least one vulnerability violating the OWASP Top 10. If these issues are exploited by cyber criminals or malicious users, it can have serious implications for an organisation, in terms of both cost and reputational damage. Learn more >
If you develop a software product or service, are you confident that it’s as secure as it can be? Your clients rely on you to keep their data secure, so if you’ve not had your product or service independently assessed, your reputation is at risk if a vulnerability is discovered. Learn more >