Payment and Electronic Money Institutions
CBRT Communiqué-Compliant TSE TS 13638/T2 Certified Penetration Testing
As Nesil Teknoloji, we perform fully compliant TSE TS 13638/T2 certified penetration tests in line with the CBRT Communiqué and the Community Cloud Conformity Guide (Annex-5), and we report the outputs in an official format that
can be submitted to the CBRT.
Nesil Teknoloji — Regulatory Compliance Focused
Who Is It For?
Payment Institutions
POS, virtual POS, payment gateway, wallet, transfer/remittance services.
POS, virtual POS, payment gateway, wallet, transfer/remittance services.
Electronic Money Institutions
Wallet, card, money transfer, merchant services.
Wallet, card, money transfer, merchant services.
Community Cloud Users
Services within the scope of the CBRT Community Cloud Conformity Guide (Annex-5).
Services within the scope of the CBRT Community Cloud Conformity Guide (Annex-5).
1+
Pentest at least once a year (the period recommended by regulation)
Legal/Regulatory Framework
CBRT Communiqué & Guide
- Compliance with the Communiqué on the Information Systems of Payment and E-Money Institutions
- Meeting the requirements of the Community Cloud Conformity Guide (Annex-5)
- Preparation of reports in a format that can be submitted to the CBRT
Impartiality & Competence
- TSE TS 13638/T2 performed by certified teams or teams of equivalent competence
- A senior pentester team certified with CREST/OSCP/OSCE and similar
- Processes aligned with ISO/IEC information security principles
ROE (Rules of Engagement) — Authorisation, scope and timing are approved in writing.
Test Scope (Minimum Headings)
Communication Infrastructure & Active Devices
FW/Router/Switch, DMZ
FW/Router/Switch, DMZ
DNS Services
Domain name & registration security
Domain name & registration security
Domain & Endpoints
AD/M365/Endpoint
AD/M365/Endpoint
E-mail Services
Phishing, SPF/DKIM/DMARC
Phishing, SPF/DKIM/DMARC
Database Systems
Privilege/query security
Privilege/query security
Web Applications & API
OWASP + API tests
OWASP + API tests
Mobile Applications
iOS/Android
iOS/Android
Wireless Network
Encryption, isolation
Encryption, isolation
ATM Systems
(If any) branch/ATM segment
(If any) branch/ATM segment
DDoS
Coordinated capacity test
Coordinated capacity test
Social Engineering
Phishing/Vishing
Phishing/Vishing
Cloud Components
Community cloud controls
Community cloud controls
Note: The minimum scope is expanded according to the organisation's scale and risk profile.
Methodology — Access Points & Profiles
Access Points
- Internet: Exposed services from an external location
- Internal Network: Corporate LAN/WAN
- Branch Network: Branch segment & access
User Profiles
- Anonymous (guest/external user)
- Customer (login-authorised)
- Guest (Guest Wi-Fi)
- Employee (standard + local admin)
Core Steps
- System Identification (OS/Banner/Config)
- Service Identification (Port/Service Inventory)
- Vulnerability Scanning & Verification
1
Discovery & Inventory — Passive/active discovery, asset verification
2
Scanning — Port/vulnerability scans (automated + manual verification)
3
Controlled Exploitation — Proof (PoC) of critical/high vulnerabilities and impact analysis
4
Lateral Movement — Access expansion scenarios (where conditions permit)
5
Reporting — Executive summary, technical findings, recommendations
6
Retest — Remediation verification and closure evidence
Finding Severity Levels & Report Format
| Level | Definition |
|---|---|
| Emergency | A vulnerability that allows full takeover from the external network even by an unqualified attacker |
| Critical | A vulnerability that allows full takeover from the external network by a qualified attacker |
| High | Partial privilege escalation/denial of service from the external network; privilege escalation locally |
| Medium | A vulnerability creating denial-of-service risk from the local network/server |
| Low | Impact uncertain; findings stemming from a lack of hardening |
Report Headings
- Executive Summary (risk panorama & priorities)
- Findings (Ref No, Name, Severity, Impact, Access Point, Profile, Component, Description, Remediation)
- PoC evidence and impact analysis
Process & Notification
- Full report — format submittable to the CBRT
- Management-approved action plan and closure tracking
- Prompt closure and retest for Critical/Emergency findings
Conformity Matrix (Summary)
| Requirement | Our Approach | Output |
|---|---|---|
| Authorisation & ROE | Written scope, boundaries, communication plan | ROE document |
| Period | At least 1 annually; interim test upon major change | Test schedule |
| Scope | Network, application, API, mobile, cloud, DDoS, social eng. | Scope list |
| Methodology | Discovery → Scanning → Exploit (controlled) → Impact | Methodology document |
| Reporting | Findings + PoC + recommendations (CBRT format) | Report package |
| Follow-up | Action plan + retest + closure evidence | Approved plan & retest report |
Frequently Asked Questions
Will there be downtime in production?
Tests carrying downtime risk are performed only with organisational coordination and within a suitable window.
How is data confidentiality ensured?
All data is processed under KVKK/GDPR and contractual confidentiality; PoCs are masked.
Report submission to the CBRT?
The report format and annexes are prepared in a form submittable to the CBRT and shared with the organisation's approval.
How does the retest process work?
Verification tests are performed after remediation; closure evidence is reported.
Why Nesil Teknoloji?
TSE TS 13638/T2 Competence
The impartiality and expertise the regulation requires.
The impartiality and expertise the regulation requires.
Sector Focus
A team that knows payment/e-money flows and risks.
A team that knows payment/e-money flows and risks.
Audit-Ready Output
A report package and annexes submittable to the CBRT.
A report package and annexes submittable to the CBRT.
End-to-End Support
Scope → execution → action plan → retest.
Scope → execution → action plan → retest.
CBRT-Compliant Pentest — Quote & Sample Report
Let's define the scope together; we will come back with a timeline and a CBRT-compliant report set.