PCI DSS Penetration Testing, Security Assessments and Security Scans

PCI DSS Penetration Testing are performed to fulfill requirements as stated in the PCI DSS standard of the big payment card companies. Penetration testing aims to identify vulnerabilities and plausible exploits to assess whether unauthorized access or malicious activity to information assets and, in particular card holder data, is possible.

Our penetration testing projects include networks and applications on external and internal networks as well as controls and processes implemented to protect the overall information system and card holder data in payment card storing and processing.

If you are instead looking for consulting on the implementation of the PCI DSS standard or parts of it, see more about Bithex Consulting on security standards.

PCI Security Scans

Merchants exceeding 20.000 yearly online transactions and/or total number of annual transactions is one million ore more, are required to execute quarterly security scans of external networks by an approved security scan vendor. Bithex Plc. does manage approved PCI DSS security scans for vendors.

PCI DSS security scans are executed regularly to test all external systems that process and store cardholder data. The scan tests for known vulnerabilities and configuration errors that can lead to security breaches. Found issues are classified into risk levels. To comply to the PCI DSS standard, companies must not have any importand security issues open.

Methodology for PCI DSS Pen Testing

Bithex PCI DSS Penetration Testing follows a standard methodology from security testing standards NIST-SP800-115 and OSSTMM where test cases and procedures are documented and the customer is supported in closing or migitating found vulnerabilities in the best practical way. Our goal is to help our customers sustain full compliance to PCI DSS requirements.

Test Plan and execution of PCI DSS Penetration Tests has the scope of all external and internal systems where cardholder data is being stored or processed in any way (cardholder data).

What must I do to prepare for a PCI Pen Test?

Preparation for PCI DSS Penetration Testing must focus on these points:

  • Defining the cardholder data environment as scope for testing.
  • Overall methodology desided, e.g. white box or black box.
  • Network diagrams and network security measures reviewed.
  • PCI QSA reports are reviewed.
  • Results from external security scans are reviewed.
  • Earlier penetration testing results are reviewed.
  • Results from risk assessment are reviewed.
  • Scope of social engineering decided depending on size and nature of operation.

What is included in a Bithex PCI DSS Pen Testing?

Test plan execution for PCI DSS Penetration Tests usually covers components like:

  • Network enumeration to identify hosts and networks.
  • Port scan attacks to analyze firewalls and network appliances.
  • Vulnerability scanning to identify vulnerabilities, misconfiguration etc.
  • Search for vulnerabilities in vulnerability databases.
  • Search for and execution of exploit code and methods. Methods depend on exploit at hand.
  • Web application security testing (Bithex WSC), at a minimum per. PCI DSS
  • Code review of web applications.
  • Security assessment of wireless networks.
  • Security assessment of dial-in connection points.
  • Test of unauthorized access to data from network accounts.
  • Test of network access from outside cardholder data environment.
  • Functionality of IDS/IPS systems verified.
  • Standardized reports with test documentation, summary and all technical details.
  • Risk classification according to industry standards.
  • Individual test cases are repeated as often as needed to attain PCI DSS compliance.


Price for PCI DSS Penetration Testing depends on the size of the scope at hand. Please contact us for more information and a price quote.