PCI DSS Testing
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard for the merchant handling and storing of credit and debit card transactions to protect card holders against misuse of their personal information.
We offer full penetration testing services for your cardholder data environment (CDE) and ASV scanning to assist with your PCI DSS compliance. We can work with your Qualified Security Assessor (QSA) to ensure all requirements are being met.
The Payment Card Industry Data Security Standard (PCI DSS) version 3.2 requires that regular security testing is conducted.
Requirement 11.3 states that penetration testing should be conducted on both external and internal systems to ensure requirements are met.
We are able to conduct penetration testing to assist with your PCI DSS compliance, examples of the most common tests are listed below:
- Internal penetration testing/vulnerability testing
- Internal vulnerability testing, infrastructure and application penetration testing
- Internal Cardholder Data Environment (CDE) segregation testing
- Ensure that the CDE is fully segregated between non CDE and CDE networks
- External penetration testing
- External vulnerability testing, infrastructure and application penetration testing
- External official ASV scanning
- External official ASV scanning via our third-party, self-managed, automated, ASV scanning platform
Armadillo Sec are a CREST approved member company and our security consultants are fully certified by CREST to the highest level in application and infrastructure testing. This allows our consultants to give complete assurance when testing any elements of your environment. We have many years of experience leading large complex government and commercial cyber security tests. Our lead consultants will work with your from start to finish on the project to ensure all requirements are met.
Frequently Asked Questions
Our testers are fully certified by CREST to the highest CCT level in both application and infrastructure testing.
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
The PCI DSS standard determines how regularly you are required to perform testing. The current standard (Version 3.2) states that internal segmentation tests should be conducted every 12 months for merchants (six months for merchant service providers), and external ASV scans conducted every 3 months.
Any major changes to the environment or if retesting is required for previous conducted tests this can increase the frequency required. The exact requirements should be defined by your Qualified Security Assessor (QSA) handing the PCI DSS compliance.
PCI DSS penetration testing prices are based on the number of hosts/systems/networks that are required to be scanned, and if the systems are externally facing to the Internet and/or if internal to your network, therefore there is not an off-the-shelf price for PCI DSS testing.
For each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full penetration testing report for PCI DSS penetration testing, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected hosts - A list of all hosts affected, including the associated network port
- Risk level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.