PCI penetration testing

Prices starting at $6,000. Free re-test included.

PCI penetration testing is a manual security assessment in which ethical hackers simulate real-world cyberattacks against the systems, networks and applications that store, process or transmit cardholder data, to identify exploitable vulnerabilities in your cardholder data environment (CDE) and produce the evidence your QSA expects for PCI DSS attestation.

PCI penetration testing is mandatory under PCI DSS 4.0. Your QSA will expect external, internal and segmentation testing performed at least annually and after any significant change to the CDE.

Secure your cardholder data environment today. Request a PCI pentest 

Blaze's PCI DSS penetration testing covers the full set of requirements in PCI DSS 4.0 / 4.0.1:

• 11.4.1 - Defined and documented penetration testing methodology
• 11.4.2 - Internal penetration testing of the CDE, annually and after significant change
• 11.4.3 - External penetration testing of the CDE, annually and after significant change
• 11.4.4 - Remediation of exploitable vulnerabilities and security weaknesses, with a re-test to verify fixes
• 11.4.5 - Segmentation testing every 12 months (every 6 months for service providers, per 11.4.6)
• 6.4.1 / 6.4.2 - Public-facing web application security assessments
• 11.3.1 - Vulnerability scanning of all in-scope assets

For organizations still on PCI DSS 3.2.1 we also map findings to the legacy 11.2.x, 11.3.x and 6.6 requirements during the transition.

We've written a comprehensive guide to PCI penetration testing  that answers most frequently asked questions on scope, cadence and PCI DSS 4.0 changes.

Our PCI DSS penetration testing , also known as PCI pentest or PCI DSS pentest, is delivered by CREST-accredited offensive security engineers certified OSCP, OSWE, OSCE and CRTO, and includes:

• External penetration testing of the CDE perimeter (web, APIs, network, payment pages)
• Internal penetration testing of the CDE network and critical systems
• Segmentation testing to validate isolation of the CDE from out-of-scope networks
• AWS cloud penetration testing and configuration security review
• Web and API penetration testing (REST, GraphQL, SOAP, gRPC)
• Mobile app pentesting (iOS and Android)
• Quarterly internal and external vulnerability scanning

We follow PCI SSC Penetration Testing Guidance, OWASP Top 10, OWASP ASVS, OSSTMM, NIST SP 800-115 and PTES, and have delivered PCI penetration testing for merchants and service providers across SaaS, fintech, e-commerce, healthtech and payment processing. Average duration is 5 to 30 person-days, depending on CDE scope.

You will receive a detailed report from a motivated adversary's perspective, mapped to PCI DSS requirements and ready for QSA review:

• Executive summary explaining issues, attack scenarios and business impact in non-technical language
• Vulnerability descriptions, attack demonstrations and remediation guidance
• Remediation prioritization matrix
• Mapping of every finding to the relevant PCI DSS 4.0 requirement
• Signed letter of attestation suitable for QSA, ROC and SAQ submission
• Free re-test and fix validation per requirement 11.4.4

All findings are delivered in real-time through VulnKeep, our PTaaS platform , which integrates with your ticketing systems. Final reports arrive within five business days of assessment completion.

The same PCI penetration testing report supports vendor risk assessments and other compliance audits including SOC 2, ISO 27001, SWIFT CSP, HIPAA and GDPR.

Prices for PCI penetration testing start at $6,000. Free re-test is included to satisfy PCI DSS 4.0 requirement 11.4.4.

Request a PCI pentest now: https://www.blazeinfosec.com/lp/penetration-test-quote-form/ 

Email:  sales@blazeinfosec.com 

Phone: +1 347 892 4783 (US/Canada)

Phone: +351 222 081 647 (Europe/international)

Services insured worldwide by Hiscox with a $5,000,000 professional liability (E&O) cover. Blaze is a CREST-accredited, ISO 27001 and ISO 9001 certified company.