What is Penetration Testing?

Penetration testing simulates cyber attack against NAS, cloud based digital infrastructures and applications. Controlled and secure system investigation by trained and qualified professionals can uncover areas of vulnerability for code injection attack against your systems.

How long does it take?

Typically penetration testing will take between 1 – 3 weeks. However this varies depending on the size of engagement, type of penetration testing and the number of systems being tested.

Cost is dependent on the size of engagement, pen testing types, number of projects and the resolution of potential vulnerabilities that are located within your infrastructure.

Why do we need a penetration test?

Penetration testing allows organisations to identify weaknesses, but can also be used to test an organisations security policy, employee security awareness, compliance requirement adherence and the ability of your organisation to identify then respond to security incidents.

How often should I get a penetration test?

This depends on a number of dependent factors including: business size, infrastructure and budget availability. Penetration tests should be carried out as often as possible, to keep up with evolving cyber threat and to ensure newly added systems or applications are secure.

PCI DSS

//cclgroupltd.com/wp-content/uploads/2019/02/3-teal-hexagons.png

Minimise risk and ensure PCI DSS compliance with CCL Group.

Get in Touch

Minimise Risk and Improve Compliancy

Partner with CCL Group and meet your compliance obligations for payment security. CCL Group has the experience and expertise to support organisations with security controls around cardholder data.

Assist you with completing the relevant PCI DSS Self-Assessment Questionnaire.

Conduct a PCI DSS Report on Compliance – an on-site audit of your policies, methods and technologies involving the storage, handling or transmission of cardholder data.

Perform an independent review of your security controls and processes for cardholder data if you are victim of a breach.

What is PCI DSS?

Globally recognised and adopted, the Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that help you to manage and process card payments safely and securely.

The PCI DSS Requirements detail the goals to be achieved and what needs to be done to help you become compliant. By assessing your business against these goals and maintaining your cyber security in line with these requirements, your customers have the confidence that you have adequate protections to preserve their personal and financial data.

Do I need to be PCI DSS compliant?
Although there is no legal obligation for merchants accepting card payments to comply with the PCI DSS Requirements, you will need to ensure you are fulfilling your obligations under the relevant data privacy laws and regulations such as The Data Privacy Act, 1988 and the requirements of GDPR.

If your organisation is storing, processing or transmitting cardholder data in any form, you may have a contractual responsibility to be PCI DSS compliant with your card payment service provider. Breach of this could result in withdrawal of services, monetary penalties and possible fee increases.

What do I need to do be PCI compliant?
The steps to PCI compliance identify the actions needed to fulfil the PCI DSS Requirements. Once you have completed the necessary actions, you will need to submit your completed PCI Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC) to your payment service provider or acquiring bank.

//cclgroupltd.com/wp-content/uploads/2019/02/teal-hexagon.svg

The 12 PCI DSS Requirements

Build and Maintain a Secure
Network and Systems

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters

Protect
Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability
Management Program

Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications

Implement Strong Access
Control Measures

Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data

Regularly Monitor
and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Maintain an Information
Security Policy

Maintain a policy that addresses information security for all personnel

Do I need to complete a PCI DSS Self Assessment Questionnaire (SAQ) or a Report on Compliance (RoC)?

To determine the level of risk, the payment card industry uses four merchant level rankings; 1-4. They are used to establish the level of security required and whether an SAQ or RoC should be submitted.

The table below is an indication of the current PCI DSS merchant levels and the security validation and assessment required by MasterCard and Visa. Each card brand and payment service provider will have their own requirements; however, these can be used as a general guide.

Merchant Level

PCI Merchant Level 1

PCI Merchant Level 2

PCI Merchant Level 3

PCI Merchant Level 4

Transactions Annually

6,000,001 or more

1,000,001-6,000,000

20,001-1,000,000

20,000 or less

Validation Requirements*

- Annual RoC, QSA audit and a Quarterly ASV scan

- Annual SAQ and a Quarterly ASV scan

If you are unsure which merchant level you are or would like to get some free advice, request a no obligation review with one of our security experts.

How do I stay PCI compliant?

Protecting your business from data and security breaches is more than just a regulatory requirement. You also risk your customers’ trust, reputation, financial penalties and potential legal action.

A key part of PCI Requirements 10 and 11 is to monitor system events and changes within your environment, our managed SOC and CREST penetration testing services can be utilised to fulfil these controls and provide the visibility that PCI requires.

CREST Penetration testing

To prevent unauthorised access and other malicious activity, both internally and externally, penetration testing attempts to identify and exploit system and network vulnerabilities. Penetration tests should be performed at least annually and whenever there is a significant change made to your system.

Security Operations Centre

Continuously working in conjunction with your cyber security systems to identify suspicious behaviours and potential breaches as they occur in real time, CCL Group’s Managed Security Operations Centre (SOC) is designed to identify, manage and mitigate information security risks to your business.

Find out more