PCI DSS Services
- Enterprises
- Small businesses
PCI DSS Consultancy
PCI DSS Testing
- ASV Scanning
- Pen Testing
PCI DSS Documentation
PCI DSS Training
PCI DSS Resources
Blog
Why choose IT Governance?
Speak to a PCI DSS expert

PCI DSS Security Testing Solutions

The Payment Card Industry Data Security Standard (PCI DSS) requires system components, processes and custom software to be tested frequently to ensure security is maintained. The testing of security controls is especially important for any environmental changes, such as deploying new software or changing system configurations.

Penetration testing and vulnerability scans

The differences between penetration testing and vulnerability scanning, as required by the PCI DSS, still cause confusion within the industry. The differences can be summarised as follows:

	Requirement 11.2	Requirement 11.3
Regularly test security systems and processes	Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an approved scanning vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff.	Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.
Purpose	Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system.	Establishes whether and how a malicious attacker could gain unauthorised access to your systems and determines whether the controls required by the PCI DSS are in place and effective.
When	At least quarterly or after significant changes.	At least annually and upon significant changes.
Reports	Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability.	More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited.
Our solution	Powered by Comodo, our HackerGuardian scanning service performs highly accurate scanning of your externally facing systems, as required by the PCI DSS.	Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.
	Find out more	Find out more

	Requirement 11.2
Regularly test security systems and processes	Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an approved scanning vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff.
Purpose	Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system.
When	At least quarterly or after significant changes.
Reports	Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability.
Our solution	Powered by Comodo, our HackerGuardian scanning service performs highly accurate scanning of your externally facing systems, as required by the PCI DSS.
	Find out more

	Requirement 11.3
Regularly test security systems and processes	Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.
Purpose	Establishes whether and how a malicious attacker could gain unauthorised access to your systems and determines whether the controls required by the PCI DSS are in place and effective.
When	At least annually and upon significant changes.
Reports	More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited.
Our solution	Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.
	Find out more

Why IT Governance for PCI DSS security testing?

IT Governance is a CREST-accredited provider of security testing services. Our range of testing services enable organisations of all sizes to effectively manage cyber security risk by identifying vulnerabilities that could expose infrastructure, applications, wireless networks and people to attack.

Choose IT Governance for penetration testing:

CREST-certified penetration testing.
Experienced across a diverse set of disciplines (web applications, servers, firewalls and Wi-Fi).
Testimonials from different industries and customers.
Sample reports available.

Speak to an expert

Please contact us for further information or to speak to an expert.