Penetration testing for PCI DSS.
PCI DSS is one of the few standards that spells penetration testing out. Requirement 11.4 calls for internal and external testing, at least annually and after significant change, plus testing that your segmentation holds. We do that testing, to CREST standards. We are not your QSA and we are not an ASV: those are separate roles, and the quarterly ASV scan is a different thing again.
What PCI DSS asks for.
Independent testing is a big part of how you satisfy it. On the testing side, this is what the process expects.
- Requirement 11.4: external and internal penetration testing, at least annually and after significant change
- Segmentation testing to confirm your cardholder data environment is isolated
- Testing at both the network and application layers
- Findings corrected and re-tested
Who does what.
A penetration test is one piece of the picture. Here is the clean line between the testing we do and the certification a separate, independent party provides.
We do the testing
- PCI-scoped external and internal penetration testing, by CREST-certified testers
- Segmentation testing of your cardholder data environment
- A report your QSA can rely on, plus a free retest of critical and high findings
They do the rest
- The PCI DSS assessment and Report on Compliance or SAQ
- The quarterly ASV scans, run by a separate approved scanning vendor
PCI DSS, answered.
Straight answers to what clients ask most.
Does PCI DSS require penetration testing?
Yes. Requirement 11.4 requires external and internal penetration testing at least annually and after any significant change, plus testing that your segmentation is effective. We provide all of that.
Are you a QSA or an ASV?
No. We are the penetration testers. A QSA runs the PCI assessment and an ASV runs the quarterly external scans; both are separate roles. We do the manual penetration testing that Requirement 11.4 calls for, and our report is written so your QSA can rely on it.
Do you test segmentation?
Yes. Confirming that your cardholder data environment is properly segmented from the rest of your network is a core part of PCI penetration testing, and we do it on every PCI-scoped engagement.
Need a pen test for PCI DSS?
Tell us where you are in the process and who is asking. We will come back within one working day with a suggested approach and a fixed-price scope, with no sales theatre.