Multi-Platform Penetration Test

Online Financial Services Company

Date Added: 8th February 2016

Tags: PCI DSS Penetration Testing

The Client

The client is one of Europe’s largest and fastest growing online payment gateways, providing a range of payment processing services for businesses selling online and processing payments valued in excess of £20 billion per annum on behalf of more than 10,000 merchants.

The Challenge

The client required Web Application, Web Service (API), Mobile and Infrastructure Penetration Testing of their personal payments platform.

The requirement was for a multi-part test which needed to be delivered in separate phases. The web application provides administration and payments functionality for end user clients along with an API that is used by the platform’s Android and iOS mobile applications. Infrastructure for the software is hosted in a datacentre on our client’s own equipment.

Our Solution

4ARMED provided CREST Certified Security Testers to conduct the different parts of the engagement. Utilising 4ARMED’s comprehensive methodology – which fully meets PCI DSS requirement 11.3 - the penetration testing for this client involved a manual test that included the use of professional tools in addition to some custom code development in order to fully integrate with the API and deliver comprehensive web service coverage.

This was a complex test against a challenging compliance deadline, requiring coverage of multiple different Internet-facing applications, all at high risk of financial fraud. Grouping logical components together for each tester, such as API and mobile, enabled us to make most effective use of the testing team and deliver on time.


Marc Wickenden, Technical Director at 4ARMED

Next Steps

Could your business benefit from an engagement like this? Want to discuss your requirements further? Give us a call or complete the contact form below to tell us about your requirements and we will work with you to find the best solution for you.