Things You Should Know About PCI Tests

Things You Should Know About PCI Tests

What is PCI?

Payment Card Industry(PCI) is about credit cards, ATM, POS cards, debit, prepaid and related business. To overcome security issues in the industry, several organizations gathered together and created PCI Security Standards Council (SSC) in September 2006. This council decided on PCI Data Security Standards(DSS), which aims to protect against credit card fraud and misuse of information, which is common in transactions carried out through banks and financial institutions and causes severe losses.


Who Needs to be PCI Compliant?

According to PCI Compliance Security Standard Council, any business that processes, stores, or transmit credit card information needs to be PCI compliant.

There are different levels of PCI DSS compliance depending on the number of transactions per year.

  • Level 1: More than 6 Million Transactions per year

  • Level 2: Between 1 Million and 6 Million Transactions per year

  • Level 3: Between 20 Thousand and 1 Million Transactions per year

  • Level 4: Less than 20 thousand transactions per year

Companies with Level 1 and Level 2  should pass an on-site audit every year to prove that they are PCI compliant. Companies who are Level 3 and 4 need to fill a Self Assessment Questionnaire(SAQ) every year and report to associated banks or credit card companies.

There are nine different types of Self Assessment Questionnaire(SAQ) of PCI. They show which security measurement you need to take according to your business model. The measures you will take depend on the payment method you use, such as online payment, POS cards, and recording users' payment information or not.

What is PCI Pentest

PCI pentest is a special penetration test that is based on PCI DSS. The member merchants and financial institutions' vulnerabilities that make transactions with credit cards should be detected and eliminated to assure the security level of PCI DSS. Depending on the level, the frequency of the pentest you should do may vary. PCI Requirement documentation at item 11.3 states that penetration tests should be performed every six months or after any changes to segmentation controls.


12 Requirements

There are 12 requirements of the PCI DSS. You can find their details, testing procedures, and guidance in the documentation.

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

  3. Protect stored cardholder data

  4. Encrypt transmission of cardholder data across open, public networks

  5. Use and regularly update anti-virus software or programs

  6. Develop and maintain secure systems and applications

  7. Restrict access to cardholder data by business need to know

  8. Assign a unique ID to each person with computer access

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data

  11. Regularly test security systems and processes

  12. Maintain a policy that addresses information security for all personnel



PCI DSS aims to protect users' credit card information and their transaction information from third parties. There are precautions and rules for the merchants and financial institutions to take. It is always good to get professional consultancy when you do not have your security team focused on these issues.