Help Centre

For certain levels of PCI-DSS compliance, it may be necessary to perform Penetration Tests and Vulnerability Scans to ensure that all card data is handled securely. However, the Create system is designed so that all payment gateways integrated with your website will process the payments securely elsewhere - this means your website will not handle the card information at any time and you do not need to perform any tests and scans to be PCI-DSS compliant at the required level.

This guide will discuss:

• What are Penetration Tests and Vulnerability Scans
• The instances in which these tests would be performed
• What to do if you would like to perform a Penetration Test or Vulnerability Scan

What are Penetration Tests and Vulnerability Scans

The main goal of a Penetration Test or Vulnerability Scan is to identify whether individuals with malicious intent could gain access to aspects of the system which would affect the fundamental security of it. Moreover, they seek to determine whether the measures used in order to be PCI-DSS compliant are in place.

The PCI Security Standards Council provide additional information on Penetration Testing.

In what instances these tests would be performed

Penetration Tests and Vulnerability Scans are only required for certain levels of PCI-DSS compliance, typically when sensitive and confidential information (such as credit card information) is being handled and processed directly.

When these online transactions are handled exclusively by a third party - as is the case when using an external gateway provider such as those integrated with Create - it is not necessary to perform these tests in order to be compliant with PCI-DSS.

What to do if you would like to perform a Penetration Test or Vulnerability Scan

Though you are not required to perform these, we understand there may be situations in which you wish to or have been asked to authorise the tests or scans.

If you would like to perform a Penetration Test or Vulnerability Scan, you must contact us directly first to explicitly make clear of your intent, and answer a series of security questions, as Create are the owner of the server hosting your website. A member of the Create team will then be in contact to discuss the details further.