PCI DSS Testing
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard for the merchant handling and storing of credit and debit card transactions to protect card holders against misuse of their personal information.
We offer full penetration testing services for your cardholder data environment (CDE) to assist with your PCI DSS compliance. We can work with your Qualified Security Assessor (QSA) to ensure all requirements are being met.
The Payment Card Industry Data Security Standard (PCI DSS) version 3.2 requires that regular security testing is conducted.
Requirement 11.3 states that penetration testing should be conducted on both external and internal systems to ensure requirements are met.
We are able to conduct penetration testing to assist with your PCI DSS compliance, examples of the most common tests are listed below:
- Internal penetration testing/vulnerability testing
- Internal vulnerability testing, infrastructure and application penetration testing
- Internal Cardholder Data Environment (CDE) segregation testing
- Ensure that the CDE is fully segregated between non CDE and CDE networks
- External penetration testing
- External vulnerability testing, infrastructure and application penetration testing
Armadillo Sec are a CREST certified testing body and we are accredited to operate as a CHECK service provider. All of our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT Level. Our testers are also CHECK Team Leaders (CTL’s) or CHECK Team Members (CTM’s) and are approved to conduct government CHECK testing.
Our team have many years experience conducting a broad range of government and commercial tests and always aim to go the extra mile for our customers.
Frequently Asked Questions
All our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT level.
|CREST Certifications||Certified Testers|
|Practitioner Security Analysts||Yes|
|Registered Penetration Testers||Yes|
|Certified Web Application Testers||Yes|
|Certified Infrastructure Testers||Yes|
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
Our testers are also CHECK Team Leaders (CTL's) or CHECK Team Members (CTM's) and are approved to conduct government CHECK testing.
|CHECK Status||Certified Testers|
|CHECK Team Member (CTM)||Yes|
|CHECK Team Leader (CTL) - Infrastructure||Yes|
|CHECK Team Leader (CTL) - Applications||Yes|
Our CHECK status can be viewed on the below link:
The PCI DSS standard determines how regularly you are required to perform testing. The current standard (Version 3.2) states that internal segmentation tests should be conducted every 12 months for merchants (six months for merchant service providers), and external ASV scans conducted every 3 months.
Any major changes to the environment or if retesting is required for previous conducted tests this can increase the frequency required. The exact requirements should be defined by your Qualified Security Assessor (QSA) handing the PCI DSS compliance.
PCI DSS penetration testing prices are based on the number of hosts/systems/networks that are required to be scanned, and if the systems are externally facing to the Internet and/or if internal to your network, therefore there is not an off-the-shelf price for PCI DSS testing.
For each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full penetration testing report for PCI DSS penetration testing, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected hosts - A list of all hosts affected, including the associated network port
- Risk level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.