If your organisation stores or processes card details, you need to comply with the worldwide Payment Card Industry Data Security Standard (PCI DSS) in order to safeguard information.

Regular security testing is necessary – it’s clearly outlined in ‘Requirement 11: Regularly test security systems and processes’, which states the need to ‘implement a methodology for penetration testing’.

It can also be difficult to get to grips with the detail behind the many requirements of this payment standard. This is where our expert team can help you satisfy regulators.

Penetration Testing is a requirement

PCI DSS centres around protecting cardholder data, setting out tight controls surrounding the storage, transmission and processing of financial information handled by businesses.

This information is also considered Personally Identifiable Information (PII) and is therefore covered by GDPR, meaning that the fines following a breach are now considerably larger than they previously were.

You must provide evidence of both network and application penetration tests to achieve compliance with this standard. If not, you risk hefty financial penalties.

Annual external and internal network infrastructure tests, as well as application penetration tests must be carried out on all systems, alongside additional tests following any changes.

These tests lay the foundations for maintaining strict security measures and developing a robust strategy to safeguard payment data and become compliant with PCI DSS.

11.3 Implement a methodology for Penetration Testing

  • Based on industry-accepted pen testing approaches
  • Includes coverage for the CDE perimeter and critical systems
  • Includes testing of internal and external networks and validation of segmentation and scope-reduction controls
  • Defines application-layer penetration tests and network-layer penetration tests including components that support network functions and operating systems
  • Includes a review of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of pen testing results and remediation activities
Pre-Test Consultation

We work with you and your team to determine your specific requirements and any compliance gaps before building a tailored proposal. 


Our thorough testing simulates the attack methodologies of today’s most advanced hackers and dangerous users in line with the specific PCI DSS requirements.


Our comprehensive reports offer clear, practical advice on how to address any weaknesses and become complaint with the industry standard.


We guide you through the process of securing your networks and applications and evidence your compliance status to relevant stakeholders. 

Robust security makes compliance simple 

Implementing good security practices can mean that compliance with PCI DSS is a given.

Showing that you have robust security strategies in place, and that they are continuously being tested and maintained, will help you safeguard sensitive payment data and evidence that you are adhering to the requirements of PCI DSS.

Other services

Network Infrastructure Testing

Our network testing simulates these real-world attacks to determine your strength and resilience against such threats. We identify specific vulnerabilities within your infrastructure and provide clear, practical advice on how you can safeguard your business as quickly and efficiently as possible.Learn more >

Application Penetration Testing

Cyber-attacks are more targeted, sophisticated and frequent than ever before, while the risks posed by internal users are often overlooked. Our penetration testing services model the techniques of criminal hackers and malicious insiders to identify any vulnerabilities in your online-facing or internal applications. Find out more >

Configuration Reviews

We audit the security configuration of your key IT assets based on industry-standard benchmarks and ensure that each component of your IT infrastructure is working in harmony and as securely as possible. Find out more >