If you missed the PtaaS Exchange in person, join us virtually to learn how to improve your security program in 2023.

Compliance for Christmas: How Pentesting Speeds up PCI Compliance

‘Tis the season to be jolly — and not to be recovering from a security breach. Compliance for Christmas is the gift that keeps on giving to continually address security threats.

‘Tis the season to be jolly — and not to be recovering from a security breach. Compliance for Christmas is the gift that keeps on giving to continually address security threats. If your company stores, processes, or transmits cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) is likely already on your radar.


Image from PCI Security Standards Council

Payment Card Industry (PCI) compliance is an integral part of organizations where it’s necessary to stay up to date on the latest security standards and practices to ensure card payments remain protected. Having a pentest performed within the cardholder data environment (CDE) is an effective way of reviewing current security structure status to expose critical vulnerabilities.

What is a PCI pentest?

A PCI DSS pentest is a cybersecurity assessment examining the technical and operational components of a system that collects payment and cardholder data to ensure that they meet the PCI compliance standards.

PCI applies to organizations of all types that are responsible for processing card payments, such as:

  • Merchants
  • Processors
  • Acquirers
  • Issuers
  • Service providers

It’s relevant to also understand what level of compliance fits the varying needs of individual businesses.

Level 1: Businesses that process 6 million+ card transactions each year; Level 2: 1 to 6 million transactions/yr Level 3: 20,000 to 1 million transactions/yr Level 4: Fewer than 20,000 transactions/yr

Meeting PCI compliance standards, no matter which level your organization fits into, reinforces a commitment to customers and protecting their sensitive data. Here are a few standards set by the PCI Security Standards Council to keep in mind:

  • Use strong passwords and change default passwords on hardware and software
  • Increase employee awareness about security and protecting cardholder data
  • Use password protection and encryption
  • Cover the entire cardholder data environment (CDE)
  • Include both network-layer and application-layer attacks

How does pentesting speed up PCI compliance?

Integrating pentesting into PCI compliance helps propel organizations forward and up to speed. A PCI DSS compliance pentest is comprised of scoping, discovery, evaluation, reporting, and retesting end to end from pentesters who put confidentiality, integrity, and availability of data at the forefront.

“PCI DSS Requirement 11.3.4 requires penetration testing to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. Therefore, a robust approach to penetration testing is recommended to satisfy this requirement by actively attempting to identify routes and paths from networks outside the CDE into the CDE.” (Penetration Test Guidance Special Interest Group PCI Security Standards Council)

Cobalt provides pentests that follow PCI Security Standards Council requirements with qualified pentesters, robust methodologies, and reporting guidelines. Further, Cobalt helps organizations scale pentesting from compliance to a continuous program that provides valuable insights into their security posture.

“When we first went with Cobalt it was purely for PCI requirements but we were looking to scale our program and pentest on a more continuous basis. Cobalt gave us the ability to pentest on a frequent basis with minimum effort from our teams. Saving us time and providing us quality results on a consistent basis.” - Tushar Chandgothia, VP of Information Security and Risk Management at KUBRA

For more information on PCI pentesting and compliance, contact Cobalt today

Complaince-Driven Pentesting Image CTA 2022

Back to Blog
About Caroline Wong
Caroline Wong is an infosec community advocate who has authored two cybersecurity books including Security Metrics: A Beginner’s Guide and The PtaaS Book. When she isn’t hosting the Humans of Infosec podcast, speaking at dozens of infosec conferences each year, working on her LinkedIn Learning coursework, and of course evangelizing Pentesting as a Service for the masses or pushing for more women in tech, Caroline focuses on her role as Chief Strategy Officer at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of vetted, highly skilled testers. More By Caroline Wong