PCI DSS Penetration Testing, Security Assessments and Security Scans

PCI DSS Penetration Testing is performed to fulfill requirements as stated in the PCI DSS standard of the payment card industry. Penetration testing aims to identify potential vulnerabilities and exploits to assess whether unauthorized access or malicious activity to information assets and, in particular, card holder data is possible.

Bithex PCI DSS penetration testing will include networks and applications on external and internal facing networks, as well as controls and processes implemented to protect overall system assets and card holder data in payment card storing and processing.

If you are instead looking for consulting on the implementation of the PCI DSS standard, or parts of it, see more about Bithex Consulting on security standards.

PCI Security Scans

Merchants exceeding 20.000 yearly online transactions and/or total number of annual transactions is one million ore more, are required to execute quarterly security scans of external network assets by an approved security scan vendor. Bithex Plc. does manage approved PCI DSS security scans for vendors.

PCI DSS security scans are executed regularly to test all external facing systems that process and store cardholder data. The scan will tests for known vulnerabilities and configuration errors that can lead to security breaches. Found issues are classified into risk levels. To comply to the PCI DSS standard, companies must not have any importand security issues open.

Methodology for PCI DSS Pen Testing

Bithex PCI DSS penetration testing follows a standard methodology from security testing standards NIST-SP800-115 and OSSTMM where test cases and procedures are documented and the customer is supported in closing or migitating found vulnerabilities in the best practical way. Our goal is to help our customers sustain full compliance to PCI DSS requirements.

What must I do to prepare for a PCI Pen Test?

Preparation for PCI DSS Penetration Testing must focus on these points:

  • Defining the cardholder data environment as scope for testing.
  • Overall methodology desided, e.g. white box or black box.
  • Network diagrams and network security measures reviewed.
  • PCI QSA reports are reviewed.
  • Results from external security scans are reviewed.
  • Earlier penetration testing results are reviewed.
  • Results from risk assessment are reviewed.

What is included in a Bithex PCI DSS Pen Testing?

Test plan execution for PCI DSS Penetration Tests usually covers components like:

  • Network enumeration to identify hosts and networks.
  • Port scan attacks to analyze firewalls and network appliances.
  • Vulnerability scanning to identify vulnerabilities, misconfiguration etc.
  • Search for vulnerabilities in vulnerability databases.
  • Search for and execution of exploit code and methods. Methods depend on exploit at hand.
  • Web application security testing (Bithex WSC), at a minimum per. PCI DSS
  • Security assessment of wireless networks.
  • Test of unauthorized access to data from network accounts.
  • Test of network access from outside cardholder data environment.
  • Functionality of IDS/IPS systems verified.
  • Standardized reports with test documentation, summary and all technical details.
  • Risk classification according to industry standards.


Price for PCI DSS penetration testing will depend on the size of the scope at hand. Don’t hesitate to contact us for more information and a price quote.