The only qualifications to be on this list are that the vendor makes a public statement about penetration testing or a similar term, and the vendor has a published mailing address or some other way to determine location. The standard penetration test should include both internal and external testing of all networks, applications, or systems directly connected to the CDE. The list is grouped by country, ordered by name, and includes published specialties for each penetration testing provider. In large environments, a risk-based approach could be used to identify appropriate testing perspectives for each segmentation control utilized. Identifying and calculating the required tests needed based on date and when the new requirement went into effect February 1, Download the Ultimate Cyber Defense Guide now. Determining the segmentation controls being utilized and defining the scope for testing of these controls.
Supporting all major compliance mandates and other penetration testing objectives.
5 Things You Should Know about PCI DSS Penetration Testing
Recent guidance from the PCI SSC has stated that if a service provider has policies and procedures in place by February 1,and validation can be shown that the organization is following those policies and procedures, and have conducted a penetration or segmentation test within the last 6 months, then it will be considered as compliant under the new standard. The additional evidence which is submitted alongside the report may, in some cases, be sufficient to mitigate a discovered vulnerability without the need for making additional infrastructure or code changes. If you know of a penetration testing firm that is not on our list, please use our contact form above and let us know, we will add them. Looking to get your compliance programs off the ground so you can win and keep your top clients? In addition, existing compensating controls will have an effect in reducing the risk level. Service providers should begin preparing by: We sincerely believe that competition is healthy and would like to include all penetration testing companies, but we doubt this list is complete.