Industry recognitions we have earned
Want PCI ASV Scans for FREE?
Become a Provensec client and get exactly that. We partner with multiple vendors and use economies of scale to dramatically lower your costs. Then we manage your scans and also provide a portal for downloading the Certificate for Quarterly Compliance.
Our PCI testing process strictly follows the guidance provided by PCI SSC. The objective of the test is to see how an attacker could jeopardize the confidentiality and integrity of cardholder data.
We start by agreeing on the scope and rules of engagement which includes the success criteria.
Once the scope and success criteria are agreed upon, we start testing using OWASP methodology which touches upon the application, network and server layers of your IT infrastructure
Once the test is completed, a report will be delivered which explains the results and includes SMART actions to fix identified findings.
The testing execution will include the following aspects of your IT infrastructure:
Application Layer: As mentioned in Section 2.3 of PCI SSC guidance, we will perform testing from the perspective of the defined roles of the application. We strongly encourage our clients to supply credentials to allow the tester to assume the required roles. This will allow the tester to determine if, at any given role, the user could escalate privileges or otherwise gain access to data they are not explicitly allowed to access. In instances where a web application utilizes a backend API and the API is in scope, we Test web and API independently.
Network Layer: Because the network layer is uses a standard mode of interaction, we use automated tools to conduct the test and then the results are verified manually. This verifies whether the CDE environment has efficient and effective network controls.
Segmentation test: The segmentation check is performed by conducting tests used in the initial stages of a network penetration test (i.e., host discovery, port scanning, etc.). We verify that isolated LANs in the agreed scope do not have access into the CDE.