PCI Penetration Testing to Protect Customer Data – and Your Business – from a Breach

Conducting a penetration test will allow you to discover the vulnerabilities in your IT infrastructure and correct them before they can be exploited by hackers and other hostile forces. One of the oldest and most trusted methods for assessing security risks is penetration testing. Penetration testing is designed to simulate a real-world attack using the tools and techniques employed by actual hackers. It provides realistic examples of how a real hacker could compromise sensitive data. A PCI Penetration Test involves the technical testing of your internal information resources and externally accessible networks, firewalls, IDS, routers, switches, servers and services as they pertain to your business' credit card environment.

 

Contact Us for a FREE Consultation

 

The Compliance Overview

PCI DSS Requirement 11, commonly referred to as the "pentest requirement," mandates any company that processes, stores, and transmits electronic card transactions to conduct one PCI penetration test annually. Additionally, the requirement states that organizations must conduct a penetration test each time a significant change occurs to network infrastructure or applications. What is deemed “significant” is highly dependent on an entity’s risk assessment process and on the unique IT environment. Penetration testing of such changes will ensure that controls assumed to be in place continue to work effectively after the upgrade or modification.

Important Dates

  • July 2015: PCI Penetration Testing requirements become official, making pen tests mandatory for compliance.
  • March 2015: The PCI Security Standards Council (SSC) released supplemental guidance, Information Supplement: Penetration Testing Guidance, effective July 1, 2015.

 

The cprlorca Solution

To better equip organizations to prevent cybersecurity attacks and maintain PCI compliance with changing regulations, cprlorca delivers a best practice security-testing methodology for the entire Cardholder Data Environment (CDE) perimeter, any critical systems that may impact the security of the CDE and all environments that are in-scope for PCI DSS 3.1. This includes the external perimeter (public-facing attack surfaces). A cprlorca PCI Penetration Test also includes access to TraceCSO vulnerability management and reporting capabilities.

 
A cprlorca PCI Penetration Testing engagement includes:
  • Engagement Interview
  • Network Documentation Collection
  • Network Scope
  • Segmentation Checks
  • Application and Network Testing
  • Immediate Notification of Critical Risks and/or Encountering Cardholder Data
  • Post-Engagement Retesting and Environment Clean-Up
 
PCI test results are provided in an extensive report containing:
  • Executive Summary: Describes major findings and remediation information
  • Statement of Scope: Systems tested as part of the engagement
  • Statement of Methodology: Details the method and tools used to complete testing
  • Statement of Limitation: Documents the restrictions imposed on testing
  • Testing Narrative: Details the testing method and documents testing progress
  • Segmentation Test Results: Summarizes test performance to validate segmentation controls
  • Severity Score Assignment: Scores each detected security issue high, medium, low or informational
  • Retesting Report: Details efficacy of remediation efforts
 
Options:

Social Engineering Engagements: While the PCI-DSS Penetration Testing Guidelines do not require social engineering, they do acknowledge social engineering as a way to determine effectiveness of a security awareness program. cprlorca offers social engineering as an optional service that can be performed in conjunction with the required penetration testing. If a social engineering is being performed as part of a PCI Penetration Test, the findings will be reported in accordance with the PCI DSS Penetration report.

 

cprlorca Qualifications

Since 2004, cprlorca has performed nearly 10,000 penetration tests. cprlorca Information Security Analysts conducting assessments have between 5 and 20+ years of experience in the IT and security industry with credentials and professional experience including Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), CISSP, CISM, CISA, CCNA, CCNP, CCIP, CCDA, CCNA Security, Security +, Linux+, MCSE: Security, MCITP, CWNA, CWSP, VCP, CEH, Network +, and they boast degrees in Computer Engineering, Information Systems, Computer Science, Business Administration, Electronics Engineering, and Information and Computer Science. Each is skilled and trained in the implementation and training of cprlorca products and the delivery of its security services.

 

Contact Us for a FREE Consultation

Test de Penetrare, Scanare de Vulnerabilitati, MoldovaTeste de Penetrare, Scanari de Vulnerabilitati, MoldovaPenetration Testing Moldova, Penetration Test Moldova, LogicalPoint