PCI Network & Application Layer Penetration Testing

Looking for more information on our PCI Compliance solutions?Request Information

Network & Application Layer Penetration Testing

Take a hacker perspective to protect PCI data.

A Network & Application Layer Penetration Test simulates a real-world attack against your network infrastructure and information systems in order to see how far an attacker would actually be able to progress within your environment. It’s imperative to conduct a penetration test regularly if your environment is processing and storing sensitive data (like payment card data or protected health information) and those same systems have access to the Internet. Implementing a methodology for penetration testing is included in the PCI Data Security Standard as requirement 11.3.

Unlike a vulnerability assessment or automated vulnerability scan, security engineers performing penetration testing actively try to uncover vulnerabilities and then exploit them in order to breach your systems or obtain access to sensitive data. This manual, hands-on approach allows the tester to intelligently probe and launch attacks from a variety of vectors and under a variety of conditions within the environment. As a result, your organization can gain full visibility and understanding of how malicious entities may be attacking your systems and to what extent they are at risk.

"We have partnered with ControlScan for the past two years for assistance with our PCI validation. ControlScan has always been professional, timely and knowledgeable [while helping us determine] the best way to validate our environment. Our projects have been well communicated, executed and followed up on through completion; the team has always been open to questions and easy to work with."   — Hielan Management

The engagement starts with an agreement between you and ControlScan on the scope of testing to be conducted. Under PCI, the scope would include coverage for the entire card data environment (CDE) perimeter as well as critical systems. Depending on your needs, the engagement will include the following testing regimens:

  • External Penetration Testing, which adopts the approach of an anonymous attacker somewhere out on the Internet looking to breach your perimeter defenses and gain access to your environment
  • Internal Penetration Testing, which shows you the risks posed to your information systems by an insider (e.g., an employee or contractor) or an attacker that has already breached your perimeter
  • Validation of any segmentation and scope-reduction controls within the environment

These types of testing provide insight into your organization's risk exposure, but from different perspectives.

During the engagement, our security testers perform reconnaissance of in-scope systems to identify services and functions which may be vulnerable, followed by a discovery of vulnerabilities affecting in-scope targets and then finally attempt to exploit those vulnerabilities in order to compromise the exposed systems. All of this is done with your knowledge and permission.

Upon completion, a formal report is prepared detailing the findings uncovered by the testing process. The tester that conducted the exercise walks you through the report in detail, ensuring you understand the weak points and gaps discovered and have a strategy for strengthening them. Most clients remediate the findings and then engage ControlScan to retest and verify the target environment is secure.

A Penetration Test provides insight into the security posture of your payment card data environment.

Test at least annually.

The PCI DSS specifies that external and internal penetration testing should each be performed at least annually and after any significant infrastructure or application upgrade or modification within the target environment. Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your card data environment (CDE) from other networks. Large breaches recently reported in the media have typically originated with a simple incursion into an insecure area of the victim's network with a subsequent lateral move directly into the CDE.

Protect your business—and your customers' data—by getting started on a Network & Application Layer Penetration Test.

Ready to get started?
GET STARTED