Best PCI PTS Pre and Post Compliance Testing Companies (2026)
This is a narrow niche within PCI PTS testing: firms that provide offensive security testing of payment devices before and after formal compliance, rather than running a PCI Recognized Laboratory. Pre compliance testing hunts for vulnerabilities in a payment terminal before it goes for formal PTS POI evaluation, so weaknesses are found and fixed early. Post compliance testing validates that a device stays resilient after approval, as firmware and hardware revisions ship. The work is hands-on offensive research, not a certification tick-box.
Related: PCI PTS compliance testing companies · Automotive pen testing companies · PCI DSS pen testing
What is pre and post compliance testing, and how is it different from a lab?
PCI PTS (PIN Transaction Security) approval is granted after a formal evaluation carried out by a PCI Recognized Laboratory against the PTS POI security requirements. That lab evaluation is a structured, standards-driven assessment. It is not the same thing as adversarial, offensive security testing that tries to break the device the way a real attacker would.
Pre and post compliance testing is that adversarial layer. Before a device is submitted, a pre compliance engagement puts the terminal through physical and tamper attacks, side-channel analysis, fault injection, firmware extraction and review, and cryptographic implementation analysis, so the manufacturer finds and fixes weaknesses before a lab, or an attacker, does. After approval, post compliance testing re-tests the device as firmware updates and hardware revisions ship, because approval is a point-in-time status and real devices keep changing.
The firms that do this well are offensive security specialists with a hardware lab and deep embedded and payment-device experience, not certification bodies. It is a small field. PCA Cybersecurity is the specialist we list for this niche: a PCI SSC Associate Participating Organization with hands-on payment terminal offensive testing experience, distinct from the Recognized Laboratories that perform formal PTS evaluation.
PCA Cybersecurity
Munich-based automotive cybersecurity specialist focused on UN R155, ISO/SAE 21434, and vehicle research. Pwn2Own Automotive participant with a dedicated ECU and vehicle test lab.
Best PCI PTS Pre and Post Compliance Testing Companies (2026), FAQs
What is PCI PTS pre and post compliance testing?+
It is offensive security testing of payment devices around the PCI PTS approval process. Pre compliance testing finds and helps fix vulnerabilities in a terminal before it is submitted for formal PTS POI evaluation. Post compliance testing re-validates the device after approval as firmware and hardware change. It is adversarial testing by security specialists, not the formal lab evaluation itself.
How is this different from a PCI Recognized Laboratory?+
A PCI Recognized Laboratory performs the formal, standards-driven PTS POI evaluation that leads to approval. Pre and post compliance testing is separate: offensive, adversarial security testing that tries to break the device the way a real attacker would, to find weaknesses before or after the formal evaluation. The two are complementary but distinct disciplines.
Why do a pre compliance test before going to a lab?+
Formal evaluations are expensive and slow, and a device that fails on a fundamental weakness wastes that time and cost. A pre compliance offensive test surfaces tamper, side-channel, fault-injection, firmware, and cryptographic weaknesses early, so they can be remediated before submission, improving the odds of a clean approval.
Who provides this kind of testing?+
Very few firms. It requires a hardware security lab, embedded and payment-device expertise, and offensive research capability, rather than the certification role of a Recognized Laboratory. PCA Cybersecurity is the specialist listed here for payment-device offensive testing.