PCI-DSS Penetration Testing

The requirements mandated by the Data Security Standard (DSS) as issued by the PCI council clearly state that penetration testing activities must be conducted regularly by any organisation processing or storing credit card data. Xiphos Research works closely with a number of reputable QSA companies to facilitate technical penetration testing activities that encompass multiple layer attack scenarios. Many penetration testing providers approach a PCI mandated penetration testing engagement in much the same manner as any other engagement, XRL believe however that the core focus of such testing should always be concerned with the security (or otherwise) of any card holder data stored or processed by the commissioning client.

The penetration testing services provided by Xiphos Research on behalf of our clients encompass both automated and manual testing strategies and approaches. Many of our competitors are happy to provide a low skilled junior operating an automated tool as the basis of their PCI testing regimens. We believe that this approach is fundamentally flawed. Not only does it fail to provide best value to the customer, but in many situations can fail to accurately identify, exploit, and quantify risk.

As part of any ROC (Report on Compliance) we believe that an organisation, or the QSA acting on its behalf, are fully appraised of and aware of any technical weaknesses that may impact upon the security of their networks, applications, processes, and indeed, card holder data. For this reason, the PCI penetration testing services performed by Xiphos Research are always enacted by skilled and experienced professionals whose motivator is to substantiate, demonstrate, and if necessary, replicate the attack vectors included in any reporting documentation produced as part of an engagement. We do not provide sweeping and unproven technical recommendations as part of the reporting cycle, but rather seek to identify (and if possible) exploit vulnerabilities that can then be documented, understood, and addressed as part of the compliance process.

We work closely with a number of reputable international QSA companies and merchant client to provide technical testing and assessment services. Our specialist, goal focused, penetration testing services have helped some of the largest merchant groups in Europe gain compliance with PCI requirements, and truly identify and resolve risks, that automated scanners alone would not have identified.

For more details about the specialist PCI penetration testing services we offer, or for an informal conversation about your requirements, contact us.