{"id":4999,"date":"2020-10-27T14:13:00","date_gmt":"2020-10-27T14:13:00","guid":{"rendered":"http:\/\/dev1.replior.mobi\/?p=4999"},"modified":"2026-04-21T23:01:45","modified_gmt":"2026-04-21T21:01:45","slug":"the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls","status":"publish","type":"post","link":"https:\/\/complior.se\/en\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/","title":{"rendered":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls"},"content":{"rendered":"<div class=\"wp-block-uagb-container uagb-block-1c95cc62 alignfull uagb-is-root-container\"><div class=\"uagb-container-inner-blocks-wrap\">\n<div class=\"wp-block-group blockera-block blockera-block-627ud4 is-vertical is-layout-flex wp-container-core-group-is-layout-fe9cc265 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-kadence-advancedbtn kb-buttons-wrap kb-btns4999_546951-d3\"><a class=\"kb-button kt-button button kb-btn4999_1b9660-2a kt-btn-size-standard kt-btn-width-type-auto kb-btn-global-fill  kt-btn-has-text-true kt-btn-has-svg-true  wp-block-kadence-singlebtn\" href=\"https:\/\/complior.se\/en\/resources\/\"><span class=\"kb-svg-icon-wrap kb-svg-icon-fe_arrowLeft kt-btn-icon-side-left\"><svg viewbox=\"0 0 24 24\"  fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"  aria-hidden=\"true\"><line x1=\"19\" y1=\"12\" x2=\"5\" y2=\"12\"\/><polyline points=\"12 19 5 12 12 5\"\/><\/svg><\/span><span class=\"kt-btn-inner-text\">Tillbaka till resurser<\/span><\/a><\/div>\n\n\n\n<span class=\"kt-adv-heading4999_8393ac-cc wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_8393ac-cc\">Blog<\/span>\n\n\n\n<h1 class=\"kt-adv-heading4999_7b744b-a8 animated fadeIn wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_7b744b-a8\">The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls<\/h1>\n\n\n\n<div class=\"wp-block-group animated fadeIn is-nowrap is-layout-flex wp-container-core-group-is-layout-6c531013 wp-block-group-is-layout-flex\"><div class=\"publish-date-container\">\r\n\t<svg\r\n\t\twidth=\"16\"\r\n\t\theight=\"16\"\r\n\t\tviewbox=\"0 0 24 24\"\r\n\t\tfill=\"none\"\r\n\t\tstroke=\"#4b4b4b\"\r\n\t\tstroke-width=\"2\"\r\n\t\tstroke-linecap=\"round\"\r\n\t\tstroke-linejoin=\"round\"\r\n\t\txmlns=\"http:\/\/www.w3.org\/2000\/svg\"\r\n\t\taria-hidden=\"true\"\r\n\t>\r\n\t\t<rect x=\"3\" y=\"4\" width=\"18\" height=\"18\" rx=\"2\" ry=\"2\"><\/rect>\r\n\t\t<line x1=\"16\" y1=\"2\" x2=\"16\" y2=\"6\"><\/line>\r\n\t\t<line x1=\"8\" y1=\"2\" x2=\"8\" y2=\"6\"><\/line>\r\n\t\t<line x1=\"3\" y1=\"10\" x2=\"21\" y2=\"10\"><\/line>\r\n\t<\/svg>\r\n\t<span class=\"date-text\">\r\n\t\tOct 27, 2020\t<\/span>\r\n<\/div>\n\n\n<div class=\"kt-adv-heading4999_6c5702-c8 wp-block-kadence-advancedheading kt-adv-heading-has-icon animated fadeIn delay-100ms\" data-kb-block=\"kb-adv-heading4999_6c5702-c8\"><span class=\"kb-svg-icon-wrap kb-adv-heading-icon kb-svg-icon-fe_clock kb-adv-heading-icon-side-left\"><svg viewbox=\"0 0 24 24\"  fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"  aria-hidden=\"true\"><circle cx=\"12\" cy=\"12\" r=\"10\"\/><polyline points=\"12 6 12 12 16 14\"\/><\/svg><\/span><span class=\"kb-adv-text-inner\">5 min <\/span><\/div><\/div>\n<\/div>\n\n\n\n<figure class=\"wp-block-kadence-image kb-image4999_710e8d-5b size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-1024x576.png\" alt=\"3 people using different navigation equipment\" class=\"kb-img wp-image-80441\" srcset=\"https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-1024x576.png 1024w, https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-300x169.png 300w, https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-768x432.png 768w, https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-1536x864.png 1536w, https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited-18x10.png 18w, https:\/\/complior.se\/wp-content\/uploads\/2026\/04\/two-phases-05-edited.png 1696w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-uagb-container uagb-block-2398f5c1 alignfull uagb-is-root-container\"><div class=\"uagb-container-inner-blocks-wrap\">\n<div class=\"wp-block-group blockera-block blockera-block-atqmot is-vertical is-layout-flex wp-container-core-group-is-layout-b2c973f4 wp-block-group-is-layout-flex\">\n<p class=\"kt-adv-heading4999_ab7dcd-a6 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_ab7dcd-a6\">When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting. Simply put: know what you\u2019re dealing with; then you may push the red \u201cfire\u201d button and unleash hell.<\/p>\n\n\n\n<h2 class=\"kt-adv-heading4999_cea4e6-bc wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_cea4e6-bc\">The scanning phase<\/h2>\n\n\n\n<p class=\"kt-adv-heading4999_6634b7-b9 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_6634b7-b9\">This of course applies to any PCI-related pentest being carried out against the infrastructure layer of an entity under assessment. The main goal of the scanning phase is, indeed, to learn more about the target environment and find openings by directly interacting with any detected target system and\/or network component. As a positive side-effect, scanning might lead to identifying further items that were not included in the PCI scope of the target environment.<br><br>Several types of scans are performed during this phase, including but not limited to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"blockera-block blockera-block-lee6wg has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Network sweeping: aims at identifying which hosts that are actually live by sending packets to all network addresses in a specific target range<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-f2luel has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Port scanning: once live hosts have been detected, this phase discerns potential openings in all target machines by looking for listening TCP and\/or UDP ports<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-ueib5q has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">OS fingerprinting: aims at determining the target operating system type based on network behavior<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-rz49tv has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Service detection: attempts to determine both the version and type of service which is presumably bound to the listening port<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-dzshy1 has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Vulnerability scanning: a crucial part of the scanning process, since it measures whether, based on the above, the target machines COULD be affected by one of the thousands potential vulnerabilities, including but not limited to misconfigurations or unpatched services<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group blockera-block blockera-block-atqmot is-vertical is-layout-flex wp-container-core-group-is-layout-b2c973f4 wp-block-group-is-layout-flex\">\n<h2 class=\"kt-adv-heading4999_519ff6-bb wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_519ff6-bb\">The exploitation phase<\/h2>\n\n\n\n<p class=\"kt-adv-heading4999_2612f3-85 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_2612f3-85\">The main aim of the exploitation phase is to demonstrate the actual presence of exploitable vulnerabilities as detected in the previous core phase, with special focus on the ones that could expose card data that can be compromised. During this phase the tester tries to actively gain access by circumventing security measures that are in place, expand access and elevate the level of privilege obtained. This is normally achieved through:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"blockera-block blockera-block-gyw7v4 has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Searching for proof of concept code in the tester\u2019s repository<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-q3qtzs has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Searching for exploit code from publicly available sources<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-ju5yi has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Development of own tools\/scripts<\/li>\n\n\n\n<li class=\"blockera-block blockera-block-ul6xjm has-manrope-font-family\" style=\"font-size:clamp(14px, 0.875rem + ((1vw - 3.2px) * 0.227), 16px);font-style:normal;font-weight:500\">Using tools, scripts, exploit and\/or proof of concept code against the target to gain as many points of unauthorized access as possible<\/li>\n<\/ul>\n\n\n\n<p class=\"kt-adv-heading4999_7f8498-9a wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_7f8498-9a\">A successful exploitation phase eventually offers proof that vulnerabilities are actually there to harm, helping to identify the relevant threat scenarios that may directly or indirectly affect cardholder data and, thus, PCI compliance.<br><br>Regarding PCI compliance specifically, it is important to point out that, out of the total set of issues that would result from the whole testing campaign, only a specific sub-set will most likely have an impact on compliance. This is a very important aspect in PCI related penetration testing and, as such, it deserves some further explanation.<br><br>As highlighted several times in this and previous articles, PCI DSS is all about securing cardholder data. This means that, regardless of how critical an issue might be, any relevant findings are subject to further \u201cfiltering\u201d criteria where only possible direct and indirect impacts on card data confidentiality is considered relevant for compliance. So, if you manage to find a way to remotely switch off or erase the main back-end database without being able to get in touch with its content, it would not necessarily imply a \u201cPCI Fail\u201d condition. Even if all mission-critical data is lost. Basically, unless Confidentiality of cardholder data is directly or indirectly in jeopardy, Availability and Integrity generally don\u2019t determine any impact on compliance on their own.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group blockera-block blockera-block-oht8ju is-vertical is-layout-flex wp-container-core-group-is-layout-b2c973f4 wp-block-group-is-layout-flex\">\n<h2 class=\"kt-adv-heading4999_a53cb0-67 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_a53cb0-67\">A compliance checkmark is not a shield against evil<\/h2>\n\n\n\n<p class=\"kt-adv-heading4999_8b9a00-9f wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_8b9a00-9f\">This is only one of the many possible examples leading to the very important conclusion that PCI DSS compliance alone is not necessarily synonymous with good overall security. Many organizations today unfortunately still tend to overlook this aspect and continue to be exposed to considerable business losses, since they somewhat pretend that the \u201ccompliant checkmark\u201d is a shield against all evil. Well, in a way it is, but it is way too small of a defense.<br><br>The Standard in fact \u201conly\u201d defines a security baseline for any organization that processes, transmits, or stores cardholder data. Being compliant only involves satisfying the requirements; it does not AT ALL mean that the organization\u2019s business is exhaustively and thoroughly secure and all related security objectives are met. Keep this well in mind when it comes to choosing your own approach to security testing for PCI DSS requirement 11.3. At least, if you want penetration testing to bring actual value added to the organization from an overall security standpoint.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group blockera-block blockera-block-oht8ju is-vertical is-layout-flex wp-container-core-group-is-layout-b2c973f4 wp-block-group-is-layout-flex\">\n<h2 class=\"kt-adv-heading4999_4b84ac-ec wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_4b84ac-ec\">To summarize<\/h2>\n\n\n\n<p class=\"kt-adv-heading4999_2ce9b7-82 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4999_2ce9b7-82\">The bottom line is, when you undergo your next annual pentest, don\u2019t just look at the \u201cPCI Fail\u201d findings: carefully read through the list of findings and fix ALL that would actually put your business at risk.<\/p>\n<\/div>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting<\/p>","protected":false},"author":2,"featured_media":51216,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"blogg","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":3,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_eb_attr":"","inline_featured_image":false,"_uag_custom_page_level_css":"","wpm_timeformat":"","_wpm_styles":"","footnotes":""},"categories":[118],"tags":[117,146,128,134],"class_list":["post-4999","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogg","tag-blog","tag-information-security","tag-pci-dss","tag-penetration-testing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls<\/title>\n<meta name=\"description\" content=\"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/complior.se\/en\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls\" \/>\n<meta property=\"og:description\" content=\"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting\" \/>\n<meta property=\"og:url\" content=\"https:\/\/complior.se\/en\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/\" \/>\n<meta property=\"og:site_name\" content=\"Complior\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-27T14:13:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-21T21:01:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"954\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kikki Bostrom\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kikki Bostrom\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/\"},\"author\":{\"name\":\"Kikki Bostrom\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/person\\\/841f8a57425589a6d7f13c201d345016\"},\"headline\":\"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls\",\"datePublished\":\"2020-10-27T14:13:00+00:00\",\"dateModified\":\"2026-04-21T21:01:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/\"},\"wordCount\":826,\"publisher\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/two-phases-05-1.png\",\"keywords\":[\"Blog\",\"Information security\",\"PCI DSS\",\"Penetration testing\"],\"articleSection\":[\"Blogg\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/\",\"url\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/\",\"name\":\"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/two-phases-05-1.png\",\"datePublished\":\"2020-10-27T14:13:00+00:00\",\"dateModified\":\"2026-04-21T21:01:45+00:00\",\"description\":\"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#primaryimage\",\"url\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/two-phases-05-1.png\",\"contentUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/two-phases-05-1.png\",\"width\":2048,\"height\":954,\"caption\":\"3 people using different navigation equipment\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/complior.se\\\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/complior.se\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/complior.se\\\/#website\",\"url\":\"https:\\\/\\\/complior.se\\\/\",\"name\":\"Complior\",\"description\":\"Security beyond compliance\",\"publisher\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/complior.se\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/complior.se\\\/#organization\",\"name\":\"Complior\",\"url\":\"https:\\\/\\\/complior.se\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Complior_logo_dark-scaled.png\",\"contentUrl\":\"https:\\\/\\\/complior.se\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/Complior_logo_dark-scaled.png\",\"width\":2560,\"height\":960,\"caption\":\"Complior\"},\"image\":{\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/complior.se\\\/#\\\/schema\\\/person\\\/841f8a57425589a6d7f13c201d345016\",\"name\":\"Kikki Bostrom\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g\",\"caption\":\"Kikki Bostrom\"},\"url\":\"https:\\\/\\\/complior.se\\\/en\\\/author\\\/kikki\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls","description":"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/complior.se\/en\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/","og_locale":"en_GB","og_type":"article","og_title":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls","og_description":"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting","og_url":"https:\/\/complior.se\/en\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/","og_site_name":"Complior","article_published_time":"2020-10-27T14:13:00+00:00","article_modified_time":"2026-04-21T21:01:45+00:00","og_image":[{"width":2048,"height":954,"url":"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png","type":"image\/png"}],"author":"Kikki Bostrom","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kikki Bostrom","Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#article","isPartOf":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/"},"author":{"name":"Kikki Bostrom","@id":"https:\/\/complior.se\/#\/schema\/person\/841f8a57425589a6d7f13c201d345016"},"headline":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls","datePublished":"2020-10-27T14:13:00+00:00","dateModified":"2026-04-21T21:01:45+00:00","mainEntityOfPage":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/"},"wordCount":826,"publisher":{"@id":"https:\/\/complior.se\/#organization"},"image":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#primaryimage"},"thumbnailUrl":"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png","keywords":["Blog","Information security","PCI DSS","Penetration testing"],"articleSection":["Blogg"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/","url":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/","name":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls","isPartOf":{"@id":"https:\/\/complior.se\/#website"},"primaryImageOfPage":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#primaryimage"},"image":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#primaryimage"},"thumbnailUrl":"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png","datePublished":"2020-10-27T14:13:00+00:00","dateModified":"2026-04-21T21:01:45+00:00","description":"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting","breadcrumb":{"@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#primaryimage","url":"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png","contentUrl":"https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png","width":2048,"height":954,"caption":"3 people using different navigation equipment"},{"@type":"BreadcrumbList","@id":"https:\/\/complior.se\/the-two-core-phases-of-penetration-testing-and-pci-compliance-pitfalls\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/complior.se\/"},{"@type":"ListItem","position":2,"name":"The Two Core Phases of Penetration Testing and PCI Compliance Pitfalls"}]},{"@type":"WebSite","@id":"https:\/\/complior.se\/#website","url":"https:\/\/complior.se\/","name":"Complior","description":"Security beyond compliance","publisher":{"@id":"https:\/\/complior.se\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/complior.se\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/complior.se\/#organization","name":"Complior","url":"https:\/\/complior.se\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/complior.se\/#\/schema\/logo\/image\/","url":"https:\/\/complior.se\/wp-content\/uploads\/2025\/06\/Complior_logo_dark-scaled.png","contentUrl":"https:\/\/complior.se\/wp-content\/uploads\/2025\/06\/Complior_logo_dark-scaled.png","width":2560,"height":960,"caption":"Complior"},"image":{"@id":"https:\/\/complior.se\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/complior.se\/#\/schema\/person\/841f8a57425589a6d7f13c201d345016","name":"Kikki Bostrom","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3a78a33b10cfcbf5a04f53b522f24d176544c6ab014b5174854b6bb92287e13?s=96&d=mm&r=g","caption":"Kikki Bostrom"},"url":"https:\/\/complior.se\/en\/author\/kikki\/"}]}},"uagb_featured_image_src":{"full":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png",2048,954,false],"thumbnail":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-150x150.png",150,150,true],"medium":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-300x140.png",300,140,true],"medium_large":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-768x358.png",768,358,true],"large":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-1024x477.png",1024,477,true],"1536x1536":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-1536x716.png",1536,716,true],"2048x2048":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1.png",2048,954,false],"trp-custom-language-flag":["https:\/\/complior.se\/wp-content\/uploads\/2020\/10\/two-phases-05-1-18x8.png",18,8,true]},"uagb_author_info":{"display_name":"Kikki Bostrom","author_link":"https:\/\/complior.se\/en\/author\/kikki\/"},"uagb_comment_info":0,"uagb_excerpt":"When it comes to pen testing, it can always be roughly broken down in to two core phases: scanning and exploiting","_links":{"self":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/4999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/comments?post=4999"}],"version-history":[{"count":2,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/4999\/revisions"}],"predecessor-version":[{"id":80636,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/posts\/4999\/revisions\/80636"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/media\/51216"}],"wp:attachment":[{"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/media?parent=4999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/categories?post=4999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/complior.se\/en\/wp-json\/wp\/v2\/tags?post=4999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}