The Payment Card Industry’s Data Security Standard, currently at v3.1 (April 2015),
is a broad information security standard that contains a list of mandatory compliance
Requirements for merchants. There are twelve compliance Requirements, each divided
into a number of sub sections. Requirements range from maintaining an information
security policy to building and maintaining a secure network to regularly testing the
security of systems and processes.
Develop and maintain secure systems and applications.
Our System Architecture Security Review, Source Code
Security Review and Web Application Penetration Testing
services can help you comply with Requirements 6.3.2, 6.5 and 6.6.
Regularly test security systems and processes. Our Wi-Fi
Security Testing, PCI ASV Vulnerability Assessment (Scanning), Network
Penetration Test and Web Application Penetration Testing services can help
you comply with Requirements 11.1, 11.2 and 11.3.
More information about complying with PCI DSS security testing requirements can found under our Services section.
If you would like to discuss your PCI testing requirements further or would like general assistance in complying with
the DSS please contact us
Historically penetration testing involved a security tester spending many days utilising tools,
home brewed programs and expertise trying to break in to a system. They would look for the
vulnerabilities in the system that could be exploited to give the tester a level of access that was
neither foreseen nor authorised. Once the tester had gained access proof would be obtained by
harvesting sensitive information (such as executive’s emails), depositing harmless files, etc.,
before going on to further penetrate systems deeper in the corporate network. This would all be
written up in report together with recommendations on mitigating the identified risks.
Today the face of penetration testing has changed dramatically to adapt to the changing trends
in how organisations transact business and the threats they face. Web applications have become
ubiquitous and complex, spawning their own specialised branch of penetration testing.
In fact, penetration testing is now more of an umbrella term often used to describe a range of different types of
security test. Some even consider the running of ‘cheap and cheerful’ automated tools to be a penetration test.
Regardless of what people consider a penetration test is we believe the most important thing is
to listen to our clients and understand what they want to achieve and what they want to protect.
Only then can we recommend an appropriate approach to security testing, one that that will
meet your objectives and is commensurate with the value of the assets being protected.
Often a suitable approach combines different types of test, for example: something to keep you
on top of the latest exploits (such as monthly or quarterly vulnerability assessment) combined
with something that provides a very detailed examination of your system and the risks to it (such
as an annual web application penetration test). We’re happy to help you find the appropriate
level of testing that provides the right balance between your security objectives and your
Please contact us to discuss.