As the PCI SSC's document "Information Supplement: Penetration Testing" says (available near the bottom of this page):

"A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorised access or other malicious activity is possible. Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.".

The same document goes on to say:

"Penetration testing must be carried out at least annually and anytime there is a significant infrastructure or application upgrade or modification (for example, new system component installations, addition of a sub-network, or addition of a web server). What is deemed "significant" is highly dependent on the configuration of a given environment, and as such cannot be defined by PCI SSC. If the upgrade or modification could impact or allow access to cardholder data, then it should be considered significant. Significance within a highly segmented network where cardholder data is clearly isolated from other data and functions is very different than significance in a flat network where every person and device can potentially access cardholder data. As a security best practice, all upgrades and modifications should be penetration-tested to ensure that controls assumed to be in place are still working effectively after the upgrade or modification."

In addition, the web application test complies with the PCI requirement 6.6 "Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes".

So here's our summary of what needs testing and when:

This is where First Base Technologies comes in - because we are penetration testers! It's what we've always done. We are in a perfect position to deploy our existing skills and combine then with our in-depth knowledge of PCI DSS to give you a thorough PCI penetration testing service.

Hover over the process diagram shown below for more information.

Our web application tests comply with PCI DSS Requirement 6.6 "Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes".

Our external and internal penetration tests comply with PCI DSS Requirement 11.3 "Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.".

Our existing penetration testing services map on to your PCI DSS requirements exactly. To see our full range of services, click on the button below:

We also undertake:

• PCI DSS Consultancy: We have now undertaken PCI consultancy work for many clients and for a variety of reasons. Some, because clients are uncertain about the requirements and the scope of work they need to do in order to obtain or maintain compliance with PCI DSS. Others, because clients are unsure how to implement the technologies required by the standard, such as encryption key management. Our in-depth knowledge of the standard itself, and of the various technologies, can also help to reduce the headaches that can be caused by the PCI DSS compliance process. Another aspect of the PCI consultancy services we offer is outlined below...
• Analysis of Reports & False Positives: We are often approached by clients who simply do not understand the varied reports that are produced by PCI scanning vendors and need help interpreting the findings. In addition, we are often called upon to verify results produced by PCI Scanning Vendors which indicate a client is non-PCI compliant. In some cases we have found that in fact the results that led to a verdict of non-compliance were false-positives (which we determine by specifically testing the "offending" site or system for that supposed vulnerability). This can enable the client to go back to their scanning vendor and argue the case for false-positives, which can result in the scanning vendor properly verifying the results, finding that they agree with us, and changing the PCI scan results to compliant! So you see, even if you don't use us for testing - and most people end up using us - then we can help!
• PCI ASV Testing: We recommend QualysGuard PCI™ for ASV Testing. It has the lowest rate of false-positives we have seen so far and we can put you in touch with our representative at Qualys to ensure you obtain the service you require. Please click here for more information about QualysGuard PCI™ and why we like it.

Download the pdf flyer here

You can read our FAQ on penetration testing here

And see what our clients say about our services here

or phone Andy on +44 (0)1273 45 45 25