PCI penetration testing and compliance

A PCI penetration test refers to penetration testing that needs to be carried out for those companies who are required to be PCI DSS compliant and will be specific to an organisation’s Cardholder Data Environment (CDE). Penetration testing forms part of requirement 11.3 of the PCI DSS and for some organisations, PCI penetration testing is a mandatory requirement on a yearly basis.

7Safe has built up a very strong understanding of the PCI penetration testing requirements and also how organisations are compromised when access to the CDE is gained (please see our Security Investigations and Assessments team).  Our penetration testing team and PCI consulting team (QSA) both fit into 7Safe’s Information Security Consulting delivery structure and thus work very closely together which we find is tremendously valuable to our customers.  For example, during a PCI audit, our PCI consultants will know that the correct CDE scope for penetration testing will have been defined and that the correct series of tests and therefore controls will be in place

We also work for clients that source PCI consultancy elsewhere. Our detailed knowledge of the Standard serves our client well in that we can still correctly scope the CDE and therefore the scope of penetration testing.

During PCI penetration testing 7Safe’s consultants also deploy our 7Seec  PAN (Primary Account Number) scanning tool to establish the presence of unencrypted / unprotected PANs which clearly are a breach of the PCI requirements. This adds incredible value in that we wish to ensure all efforts to protect the PAN are undertaken to avoid a PCI breach (and therefore the need for an (Qualified Forensic Investigator investigation).

Clearly the Standard also highlights the issues of secure code development and review which is a service that 7Safe’s penetration testing and application testing team provide.

Scanning for Primary Account Numbers (PANs) with 7Seec