What is Penetration Testing?

1 Stop PCI Scan recognizes that the PCI DSS uses a defense-in-depth approach to promoting PCI compliance.  True PCI compliance involves more than just quarterly external PCI scanning.  Yearly penetration testing is also a requirement for almost all businesses.

Penetration testing involves simulating an actual attack on the customer’s network.  This type of testing helps to determine what a malicious person may actually accomplish in a real world hacking effort.

Why do I need Penetration Testing?

PCI compliance calls for businesses to “regularly test security systems and processes. Section 11 of the PCI DSS enumerates each of the requirements that fall under the “regularly test security systems and processes” component of overall PCI compliance.  Section 11.3.1 of the PCI DSS v3 reads:

 “Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification.”

Section 11.3.2 follows up by referring to internal penetration testing as an annual requirement as well.

1 Stop PCI Scan offers penetration testing at a low cost and each member of our skilled testing team is an Offensive Security Certified Professional (OSCP).  The pricing for penetration testing cannot be described in a standard rate that applies to all customers.  Penetration testing is not a strictly automated process.   In comparison to external PCI scanning, there are more variables involved in the pen-testing process, and pen-testing involves significantly more manual work. Interested customers should contact 1 Stop PCI Scan for more information and customized pricing.

For more information, including a discussion on considerations that come into play with PCI penetration test pricing, see our penetration test cost page.

If you are curious about the difference between PCI scanning and PCI penetration testing, take a look at our discussion on this topic here: “PCI Penetration Testing Vs. PCI Scanning“.