Compliance pentest
Nick Hemenway avatar
Written by Nick Hemenway
Updated over a week ago

What is a compliance pentest?

Halo Security offers compliance pentests to help you adhere to PCI requirements and ensure that your customers' cardholder data is protected. Our expert team can test both external applications as well as the internal networks they are connected to, ensuring that the entirety of your cardholder data environment (CDE) is assessed. We will fully test, discover, and report on vulnerabilities and network segmentation in accordance with PCI requirements.

What requirements are fulfilled?

Halo Security addresses and meets the four most important PCI penetration testing requirements:

Requirement 11.3 - Pentests require a formal pentesting methodology that includes internal and external Pentest methods.

Our expert team has a defined penetration testing methodology covering internal and external networks that is based largely on OWASP fundamental methodology. Our methodology has been refined by our experience conducting tests, allowing us to test more efficiently and make sure that you get comprehensive results without excessive testing hours.

Requirement 11.3.1 - Pentests should be conducted annually or after significant server or application upgrades/changes.

Halo Security Security is glad to work with you on a reoccurring basis to fulfill any periodic requirements and offers competitive pricing on reoccurring or multiple scheduled tests. Additionally, our scanning solution can alert you to changes within your infrastructure that could indicate a need to conduct a compliance pentest.

Requirement 11.3.2 - Pentests should be conducted against internal networks to which PCI applications are connected.

When provided with VPN access, Halo Security can properly test your internal network to ensure there is segmentation between your sensitive cardholder data environment and any other hosts or services running nearby. Internal testing is useful not only to fulfill PCI requirements, but also to gauge visibility and assess risk on services that aren't externally testable.

Requirement 11.3.3 - Pentest vulnerability findings should be corrected and retested to ensure remediation.

While many penetration test providers simply provide you with a deliverable report to finish the test, Halo Security will work with you to test and confirm remediation for up to 90 days after the initial report deliverable. As an extension of your security team, we'll help you verify that the fixes you implement correct your issues by using the same tests we discovered them with. We'll revise reports with multiple versions to make sure the deliverable is accurate and suits your requirements as well as those of your compliance requester.

How much does it cost?

All of our penetration testing services are quoted after determining the scope of the project. Compliance pentests start at MSRP $4,950 per PCI CDE scope.

Did this answer your question?