Payment and Electronic Money Institutions
CBRT Communiqué-Compliant TSE TS 13638/T2 Certified Penetration Testing
As Nesil Teknoloji, we perform fully compliant TSE TS 13638/T2 certified penetration tests in line with the CBRT Communiqué and the Community Cloud Conformity Guide (Annex-5), and we report the outputs in an official format that can be submitted to the CBRT.
Nesil Teknoloji — Regulatory Compliance Focused
Who Is It For?
Payment Institutions
POS, virtual POS, payment gateway, wallet, transfer/remittance services.
Electronic Money Institutions
Wallet, card, money transfer, merchant services.
Community Cloud Users
Services within the scope of the CBRT Community Cloud Conformity Guide (Annex-5).
1+
Pentest at least once a year (the period recommended by regulation)
Legal/Regulatory Framework
CBRT Communiqué & Guide
  • Compliance with the Communiqué on the Information Systems of Payment and E-Money Institutions
  • Meeting the requirements of the Community Cloud Conformity Guide (Annex-5)
  • Preparation of reports in a format that can be submitted to the CBRT
Impartiality & Competence
  • TSE TS 13638/T2 performed by certified teams or teams of equivalent competence
  • A senior pentester team certified with CREST/OSCP/OSCE and similar
  • Processes aligned with ISO/IEC information security principles
ROE (Rules of Engagement) — Authorisation, scope and timing are approved in writing.
Test Scope (Minimum Headings)
Communication Infrastructure & Active Devices
FW/Router/Switch, DMZ
DNS Services
Domain name & registration security
Domain & Endpoints
AD/M365/Endpoint
E-mail Services
Phishing, SPF/DKIM/DMARC
Database Systems
Privilege/query security
Web Applications & API
OWASP + API tests
Mobile Applications
iOS/Android
Wireless Network
Encryption, isolation
ATM Systems
(If any) branch/ATM segment
DDoS
Coordinated capacity test
Social Engineering
Phishing/Vishing
Cloud Components
Community cloud controls
Note: The minimum scope is expanded according to the organisation's scale and risk profile.
Methodology — Access Points & Profiles
Access Points
  • Internet: Exposed services from an external location
  • Internal Network: Corporate LAN/WAN
  • Branch Network: Branch segment & access
User Profiles
  • Anonymous (guest/external user)
  • Customer (login-authorised)
  • Guest (Guest Wi-Fi)
  • Employee (standard + local admin)
Core Steps
  • System Identification (OS/Banner/Config)
  • Service Identification (Port/Service Inventory)
  • Vulnerability Scanning & Verification
1
Discovery & Inventory — Passive/active discovery, asset verification
2
Scanning — Port/vulnerability scans (automated + manual verification)
3
Controlled Exploitation — Proof (PoC) of critical/high vulnerabilities and impact analysis
4
Lateral Movement — Access expansion scenarios (where conditions permit)
5
Reporting — Executive summary, technical findings, recommendations
6
Retest — Remediation verification and closure evidence
Finding Severity Levels & Report Format
LevelDefinition
EmergencyA vulnerability that allows full takeover from the external network even by an unqualified attacker
CriticalA vulnerability that allows full takeover from the external network by a qualified attacker
HighPartial privilege escalation/denial of service from the external network; privilege escalation locally
MediumA vulnerability creating denial-of-service risk from the local network/server
LowImpact uncertain; findings stemming from a lack of hardening
Report Headings
  • Executive Summary (risk panorama & priorities)
  • Findings (Ref No, Name, Severity, Impact, Access Point, Profile, Component, Description, Remediation)
  • PoC evidence and impact analysis
Process & Notification
  • Full report — format submittable to the CBRT
  • Management-approved action plan and closure tracking
  • Prompt closure and retest for Critical/Emergency findings
Conformity Matrix (Summary)
RequirementOur ApproachOutput
Authorisation & ROEWritten scope, boundaries, communication planROE document
PeriodAt least 1 annually; interim test upon major changeTest schedule
ScopeNetwork, application, API, mobile, cloud, DDoS, social eng.Scope list
MethodologyDiscovery → Scanning → Exploit (controlled) → ImpactMethodology document
ReportingFindings + PoC + recommendations (CBRT format)Report package
Follow-upAction plan + retest + closure evidenceApproved plan & retest report
Frequently Asked Questions
Will there be downtime in production?
Tests carrying downtime risk are performed only with organisational coordination and within a suitable window.
How is data confidentiality ensured?
All data is processed under KVKK/GDPR and contractual confidentiality; PoCs are masked.
Report submission to the CBRT?
The report format and annexes are prepared in a form submittable to the CBRT and shared with the organisation's approval.
How does the retest process work?
Verification tests are performed after remediation; closure evidence is reported.
Why Nesil Teknoloji?
TSE TS 13638/T2 Competence
The impartiality and expertise the regulation requires.
Sector Focus
A team that knows payment/e-money flows and risks.
Audit-Ready Output
A report package and annexes submittable to the CBRT.
End-to-End Support
Scope → execution → action plan → retest.
CBRT-Compliant Pentest — Quote & Sample Report
Let's define the scope together; we will come back with a timeline and a CBRT-compliant report set.