• +44 (0)1273 454525
  • Call us
  • info@firstbase.co.uk
  • Email

PCI DSS Penetration Testing

If you are new to PCI, then check out our PCI DSS information page.

PCI DSS Penetration Testing Information

Many organisations do not realise that PCI DSS Requirements 6.6 and 11.3 call for penetration testing – over and above the external and internal vulnerability assessments required by PCI DSS Requirement 11.2.

The table below shows what PCI DSS Requirements 6.6 and 11.3 specify as to what needs testing and when. Our existing penetration testing services map on to your PCI DSS requirements exactly, so each test type in the table below links to the relevant testing page on our website.

Test TypeFrequencyASV/QSA Required?Location
Web Application TestAnnualNoRemote
External Penetration TestAnnualNoRemote
Internal Penetration TestAnnualNoOnsite

Our web application tests comply with PCI DSS Requirement 6.6 “Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes“.

Our external and internal penetration tests comply with PCI DSS Requirement 11.3 “Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.“.

Our primary deliverable is a report – tailored to your requirements, it will inform you of the vulnerabilities and the solutions, so you can address these before insiders or hackers do.

The testing process

  • We discuss your requirements in detail to ensure that tests are appropriate, accurate and cost effective.
  • Testing is carried out by one or more of our professional testing team.
  • Our reports include a management summary, vulnerabilities ranked by severity, recommendations for remediation, and detailed technical explanations. The layout and format can be tailored to meet your in-house requirements.
  • Every test is carried out by a highly trained professional. Their results are subject to both technical review and quality assurance before being securely transmitted to you.
  • You can discuss your test results with our testing team to ensure that the risks and recommendations are understood in the context of your business.
  • Once you have addressed the reported vulnerabilities, we can check that your fixes have been successful or conduct a full re-test.
  • We pride ourselves in being with you every step of the way in securing your infrastructure from attack.

We also undertake:

PCI DSS Consultancy: We have now undertaken PCI consultancy work for many clients and for a variety of reasons. Some, because clients are uncertain about the requirements and the scope of work they need to do in order to obtain or maintain compliance with PCI DSS. Others, because clients are unsure how to implement the technologies required by the standard, such as encryption key management. Our in-depth knowledge of the standard itself, and of the various technologies, can also help to reduce the headaches that can be caused by the PCI DSS compliance process. Another aspect of the PCI consultancy services we offer is outlined below…

Analysis of Reports & False Positives: We are often approached by clients who simply do not understand the varied reports that are produced by PCI scanning vendors and need help interpreting the findings. In addition, we are often called upon to verify results produced by PCI Scanning Vendors which indicate a client is non-PCI compliant. In some cases we have found that in fact the results that led to a verdict of non-compliance were false-positives (which we determine by specifically testing the “offending” site or system for that supposed vulnerability). This can enable the client to go back to their scanning vendor and argue the case for false-positives, which can result in the scanning vendor properly verifying the results, finding that they agree with us, and changing the PCI scan results to compliant! So you see, even if you don’t use us for testing – and most people end up using us – then we can help!

PCI ASV Testing: We recommend QualysGuard PCI for ASV Testing. It has the lowest rate of false-positives we have seen so far and we can put you in touch with our representative at Qualys to ensure you obtain the service you require. Please click here for more information about QualysGuard PCI.

For more information please visit the PCI web site 

Contact us for more information

Call us on +44 (0)1273 454525 or use our enquiry form