PCI-DSS v4.0 requires more than just a "check-box" scan. You need rigorous, adversarial testing to prove that your Cardholder Data Environment (CDE) is truly isolated.
For any organisation handling cardholder data, PCI-DSS compliance is a non-negotiable requirement for maintaining merchant status. However, the most critical element of the audit, Requirement 11.4, requires a manual, independent penetration test that goes far beyond automated vulnerability scanning.
At Mongoose, we provide the specialist, CREST-accredited testing required to satisfy your auditors and ensure the integrity of your payment environment.
Meeting the Rigour of PCI-DSS v4.0
The transition to v4.0 has introduced stricter requirements for how penetration testing is conducted and reported. We ensure your audit covers all necessary mandates:
Segmentation Validation (Requirement 11.4.5):
We perform targeted testing to prove that your CDE is effectively isolated from out-of-scope networks. We attempt to bypass your VLAN and firewall controls to ensure no "leakage" of cardholder data is possible.
External Penetration Testing:
We simulate an attack from the public internet, targeting your perimeter and any public-facing assets that interact with payment data.
Internal Penetration Testing:
We replicate the threat of a compromised internal user or device, identifying how an attacker could move laterally from a low-security office network into your CDE.
Application-Layer Testing:
For bespoke payment portals, we perform deep-dive web application testing to identify logic flaws, injection vulnerabilities, and insecure API handshakes.
The Mongoose PCI-DSS Methodology
Scope Definition & Asset Discovery
The most common point of failure in a PCI audit is an incorrectly defined scope. We work with your team to identify every asset, system, and person that "touches" cardholder data (the CDE), as well as the systems that provide security services to that environment.
Adversarial Simulation
Our testers do not rely on automated tools. We use the same manual techniques as professional threat actors to identify "hidden" pathways into your payment environment. This includes testing for:
- Weak or default credentials on management interfaces.
- Misconfigured firewalls and internal routing.
- Vulnerabilities in the applications used to process or store cardholder data.
Evidence-Rich Reporting for your QSA
A Mongoose report is designed to be "auditor-ready." We provide the technical evidence, methodology descriptions, and remediation roadmaps that your Qualified Security Assessor (QSA) requires to sign off on your compliance. We document every successful and unsuccessful attempt to breach the CDE.
Qualified Independence: Why CREST Matters
While a QSA (Qualified Security Assessor) performs the final compliance audit, the penetration test itself must be conducted by a technically qualified and independent resource. PCI-DSS mandates that the tester must not be involved in the day-to-day management of the systems being tested.
As a CREST-accredited firm, Mongoose provides that verified independence. Our accreditation serves as industry-recognised proof that our team possesses the high-level technical skills and follows the ethical frameworks required to deliver a compliant, trustworthy assessment.
What is the difference between an ASV scan and a penetration test?
How often do we need to perform segmentation testing?
Can you test our third-party integrations?
Ready to see the gaps others are missing?
Don't wait for a real adversary to find the pathway. Contact our team today to discuss a tailored manual assessment for your organisation.
