Table of Contents

PCI Penetration Testing: Compliance Requirements, Frequency, & Guidelines

Reviewed & Written by:

|

Published:

|

Updated:

March 15, 2026
PCI Penetration Testing
Table of Contents

Protecting cardholder data is no longer just a best practice—it’s a critical necessity. This is where PCI penetration testing comes into play. Unlike general compliance efforts, PCI DSS penetration testing identifies real-world issues to improve the defences of your systems. It’s a proactive approach that goes beyond simply checking boxes and identifying vulnerabilities before attackers can exploit them and cause significant damage.

The financial stakes are higher than ever, with the global average data breach cost reaching a staggering $4.45 million in 2023 (According to IBM) and online payment fraud losses projected to skyrocket to over $362 billion in the next five years.

The Payment Card Industry Data Security Standard (PCI DSS) is a global cornerstone for safeguarding credit card data. PCI DSS version 4.0, the most recent iteration, emphasises a dynamic, risk-based approach to security, compelling organisations to tailor their controls to their unique environments. PCI DSS penetration tests are crucial for meeting and maintaining security standards.

What is PCI DSS Compliance?

PCI DSS 4.0, released in March 2022, represents a significant evolution in payment card data security. It moves beyond a checklist mentality to emphasise a more flexible, risk-driven approach. Instead of simply adhering to prescribed controls, organisations are now capable of managing their security measures to their specific environment and risk profile. This includes prioritising security controls based on a thorough risk assessment, i.e. PCI DSS Penetration Testing, and focusing on achieving measurable security outcomes.

A core principle of PCI DSS 4.0 is defence-in-depth, encouraging a layered security approach to create a more resilient defence against evolving threats. Penetration testing plays a critical role within this risk-based framework, validating the effectiveness of implemented security controls and identifying vulnerabilities before they can be exploited. It is an essential component of a comprehensive PCI DSS compliance program.

💡Suggested read: PCI DSS v4.0: Compliance, Requirements, How to achieve compliance

What is PCI Penetration Testing?

A PCI penetration test specifically focuses on systems within the scope of your Cardholder Data Environment (CDE), including network devices, servers, applications, and any other component that stores, processes, or transmits credit card data. It mimics the tactics and techniques of real-world attackers to identify and exploit security vulnerabilities before malicious actors can access credit card data or underlying systems.

Benefits of PCI Penetration Testing

 

The goal here is not just to find security vulnerabilities but to demonstrate how they could be safely exploited to gain unauthorised access to sensitive information.

This proactive approach helps organisations understand their security posture, identify weaknesses in their defences, and prioritise remediation efforts. Penetration testing is a critical requirement of PCI DSS, helping businesses protect cardholder data and maintain compliance.

What are the PCI Penetration Testing Requirements?

PCI penetration testing requirements outline the specific requirements aligned with the PCI DSS compliance document. Here’s a breakdown of the PCI DSS requirements specifically the major part of requirement 11 asking to regularly test security systems and processes:

PCI DSS 4.0 Requirements

Requirement 11.3.1 – External Penetration Testing (Networks and Applications)

Simulates external attacks to identify security vulnerabilities accessible from outside the organisation’s network. Must be performed annually and after significant changes to the CDE. External network vulnerability scans are often used in conjunction with external penetration testing. External vulnerability scans must be performed by ASV vendors, not pentesting companies.

💡Suggested Read: External Penetration Testing

💡Suggested Read: Web Application Penetration Testing

Requirement 11.3.2 – Internal Penetration Testing (or PCI CDE Penetration test)

PCI CDE penetration testing is a common term used in PCI circles that means the same as internal penetration testing. Vulnerability scanning is often used in conjunction with internal pen tests; however, they are two separate activities with different goals.

PCI internal pen testing mimics attacks originating from within the network to expose security vulnerabilities that malicious insiders could exploit. Sometimes this is bundled as internal and external pentesting; it requires annual execution and retesting after significant changes.

💡Suggested Read: Internal Penetration Testing

Requirement 11.3.3 – Network Segmentation Testing

Segmentation testing is checking whether the segmentation controls are working effectively to isolate CDE and non-CDE environments or vice versa. Network segmentation pentesting can be integrated into internal penetration tests due to similarities in scoping and testing techniques for internal networks and segmentation controls. The PCI Council, the authority on this subject, have created dedicated guidance on segmentation.

Requirement 11.3.4 – Application-Layer Penetration Testing

Application penetration test focuses on identifying vulnerabilities within web applications and underlying APIs that transmit cardholder data. This assessment is conducted to identify vulnerabilities such as cross-site scripting, SQL Injection, misconfiguration, broken access controls and other OWASP Top 10 related risks. A web applications pen tester utilises both manual and automated tools to safely exploit vulnerabilities to demonstrate the extent of weaknesses, their impact and practical likelihood. This is then detailed in the PCI DSS penetration test report aimed at PCI DSS applications and API scope.

Cyber attacks are not a matter of if, but when. Be prepared.

Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.

Requirement 11.4 – Penetration Testing Methodology

This requirement mandates using a qualified penetration tester who adheres to a documented and industry-recognised penetration test methodology. A methodology can be beyond just typical OWASP Top 10 risks because test cases are defined on the basis of functionalities and modules in use by in-scope components such as networks, web apps, systems, and services. We have covered more on the use of penetration testers and their qualifications in the following sections.

Requirement 11.5 – Remediation and Retesting

Discovered vulnerabilities must be prioritised, addressed promptly, and retested to confirm remediation effectiveness – often known as triage and remediation work. Our unlimited retesting and remediation planning as part of penetration testing supports PCI DSS compliance requirements to actually move the needle on risk reduction.

PCI DSS Penetration Testing Frequency

Here’s a breakdown of how often you need to perform PCI penetration testing:

  • External Testing: At least annually and after significant infrastructure or application changes that could introduce new vulnerabilities. This is often referred to as annual penetration testing.
  • Internal Testing and Segmentation Testing: Ideally, it should be done every six months. Many organisations combine these tests for efficiency on an annual basis.
  • Remediation and Retesting: Required for medium-risk or higher vulnerabilities to verify that fixes are effective.

Who needs a PCI penetration test?

Any organisation that handles credit card data—merchants, payment processors, financial institutions (including fintech and other modern financial services providers), and any third-party service provider with access to cardholder data—must comply with PCI DSS standards. This means regular penetration testing is mandatory for protecting sensitive information and maintaining compliance. If your business stores, processes, or transmits cardholder data, you need PCI penetration testing.

Read our extensive guide to penetration testing

How do you decide if you require a PCI DSS Penetration test?

While PCI DSS compliance, including penetration testing, is crucial for businesses handling cardholder data, not every organisation requires it. For example, a small business that only accepts cash or cheque payments and never handles credit card information directly would typically fall outside the scope of PCI DSS requirements. Similarly, a software development company that builds applications but never processes or stores payment card data on its own systems would likely not need PCI penetration testing.

The key factor is whether your business interacts with credit card data at any point in the payment process. If you don’t, you likely won’t need PCI pen testing. However, it’s always best to consult with a security professional to confirm your specific requirements.

PCI Penetration Test Process

The PCI pen test process helps validate the security of CDE used to transmit cardholder data. It involves a structured approach, beginning with a clearly defined compliance testing scope consisting of all systems connected to the CDE, followed by establishing rules of engagement to guide the testing process.

The importance of security awareness training for employees as part of the overall security posture cannot be ignored. Humans are the strongest line of defence or the weakest, depending upon their awareness levels.

The use of manual techniques and automated tools is part of the penetration test methodologies during a PCI DSS engagement. A key differentiator in PCI DSS testing is the review of past issues and test results, which informs the current assessment and verifies remediation efforts. This, coupled with a review of control deployment, ensures a thorough evaluation of security posture and compliance with PCI security standards.

The actual testing phase and subsequent penetration test report follow typical pen testing procedures but with an added focus on compliance and validation. Here’s this process defined in detail on how Cyphere supports customers for their PCI DSS pen tests.

How to perform a PCI DSS penetration test?

Undergoing a PCI penetration test involves several key phases that ensure a thorough assessment and compliance with PCI DSS standards.

Here’s a breakdown of the PCI Pen Test process:

1. PCI Penetration Testing Scope

PCI DSS scope includes all those components within the cardholder data environment (CDE), which includes people, processes, and technologies used to transmit cardholder data (CHD) or sensitive authentication data. This extends beyond just the CDE itself to include any systems “connected to” it, regardless of their function. Connectivity can be physical (e.g., Ethernet, USB), wireless (e.g., Wi-Fi, Bluetooth), or virtualized (e.g., virtual machines, virtual networks), and the complexity of these connections necessitates careful evaluation by a pen tester with technical expertise to accurately determine the full scope.

Critically, any system within the CDE is automatically in scope, as are systems with any level of connectivity to the CDE. Even seemingly unrelated systems can pose a risk if they can access the CDE. In a flat network, if any system handles account data, all systems are considered in scope. While public networks like the internet are themselves out of scope, PCI DSS requires robust security measures to protect in-scope systems and CHD from those untrusted networks.

Before the annual pen test begins, detailed information about your Cardholder Data Environment (CDE) is crucial. This includes:

  • Number of systems (hosts) involved
  • Number of network segments within the CDE scope
  • A network diagram illustrating the CDE’s layout

Network penetration test helps in defining the scope of PCI penetration testing by assessing the number of systems or web application penetration testing for PCI DSS, including applications and APIs, the time required to complete the test, and the depth of documentation needed.

2. Rules of Engagement

Once the scope is defined, it’s time to establish clear guidelines for the testing process via a project plan or SoW. This information will be documented and included in the final penetration testing report submitted to your auditor. Key details to cover include:

  • Testing windows: Specify the approved times for the testing to take place.
  • Excluded systems: List any systems that should not be scanned automatically.
  • Testing limitations: Identify controls that might hinder testing or require special considerations.
  • Communication channels: Define how the pentesting team and your team communicate throughout the process.
  • Potential concerns: Raise any specific issues or questions for the tester.

How is PCI DSS Pen Testing performed

PCI Penetration Testing Standards & Methodology

PCI pen testing, required by PCI DSS requirement 11.3, follows NIST SP800-115 and covers the entire cardholder data environment (CDE). This includes all critical systems and supporting systems.

  • Scope: Testing must cover the entire CDE, not just parts of it.
  • Types of Testing: Both external and internal network penetration tests are mandatory. This could be black-box, white-box, or grey-box based on the test cases and methodologies to be used.
  • Segmentation Test: Internal tests must include segmentation testing (e.g., VLANs) to verify they effectively isolate CHD. This is a key difference from standard penetration tests.
  • Application Test: Application penetration testing must address the OWASP Top 10 vulnerabilities for any application within the CDE.
  • Network Penetration Test: PCI DSS requires network layer testing based on the in-scope components.

While the technical execution might be similar to a standard penetration test, PCI DSS has some crucial differences:

  • Segmentation Testing: This is a specific PCI DSS requirement and isn’t always part of standard tests.
  • Documentation: PCI DSS compliance requires thorough documentation.

It’s essential to tell your chosen consultancy to perform the penetration test aligned with PCI DSS compliance. A responsible consultancy shall guide you on penetration test report structure and tailor your needs, liaising with auditors and retests and the entire process of PCI annual pentesting.

Several methodologies (OSSTMM, NIST SP 800-115, OWASP Testing Guide, PTES, and the Penetration Testing Framework) can inform the overall approach, but specific techniques will vary.

3. Reviewing Past Issues and PCI Pentest Results

Here’s how success criteria are determined:

  • Testing techniques and depth: The defined criteria will guide the intensity and types of testing methods used.
  • Validating impact: In some cases, demonstrating how a system can be compromised can be helpful. This can assist in validating the severity of an issue and ensuring proper logging is in place for future detection.

Unlike typical security testing, PCI DSS emphasises reviewing past issues and test results. This helps with verifying remediation measures, gain insights into past weaknesses that could still allow certain attacks and assessing existing controls functionality.

4. Control Deployment Review

To ensure compliance, PCI pentesting involves additional evidence-gathering measures not typically seen in regular penetration tests. Understanding how security controls are implemented is crucial for validating their effectiveness during testing.

Secure code is an essential element for business growth

Show your customers and supply chain you can manage application risks with secure coding practices.

5. The Testing Process and Beyond

The core testing phase, along with post-testing activities (reporting, review meetings, and potential retesting), follow a similar structure as in regular security testing. However, the emphasis on scoping, defining success criteria, and leveraging past security data makes PCI pen tests a unique and compliance-focused exercise. The most strategic input for this phase is the reporting part.

Who Should Conduct PCI Compliance Penetration Testing?

The standard practice is to use external or third-party pen testers to perform penetration testing. There are two options for conducting a PCI penetration test:

Internal Resources to support preparations

If you are performing internal testing, a qualified internal resource with the necessary expertise can perform the testing. However, this approach can be:

  • Time-consuming: Finding dedicated time for internal testing can be a challenge.
  • Resource-intensive: The staff member needs significant expertise.
  • Potentially biased: Penetration testing must be performed by qualified personnel who are independent of the systems being tested to avoid conflicts of interest.

PCI DSS Penetration Testing Services Providers

This option is standard, especially for smaller businesses. Benefits include:

  • Efficiency: External penetration testing provider has the resources and expertise for thorough testing.
  • Reduced workload: Security teams can focus on other priorities.
  • Objectivity: External PCI pen tests bring a fresh perspective and minimise bias.

The PCI pen testing guidance covers choosing a qualified external provider. Here’s what to look for:

  • Certifications: CREST, OSCP, OSCE, PNPT, BCSP, CISSP, CEH (Certified Ethical Hacker), and GSNA indicate a provider’s competence to perform penetration tests. Having pen testers with certifications like Offensive Security Certified Professional (OSCP) is crucial to demonstrating technical capabilities for conducting impartial testing against the environment.
  • PCI DSS Experience: Choose a provider with a proven track record of conducting PCI DSS-compliant penetration tests.
  • Experience Matching Your Needs: Ensure the provider has experience with businesses similar to yours in size and industry.

By carefully selecting a qualified provider, you can streamline your path to PCI DSS compliance and ensure a thorough and objective security assessment.

How much does PCI penetration testing cost?

While there’s no one-size-fits-all price for PCI penetration testing, here’s a breakdown of factors that influence the cost:

  • Scope: The total number of live systems in the case of a network or the size of the web application and underlying APIs influence the scope. This factor is directly proportional to the effort of a pen tester and costs.
  • CDE Focus: Most organisations focus the penetration test solely on the CDE. This requires a clearly defined CDE to determine the testing scope and might impact the final price. In case these are bundled with other services, the overall cost may be lower for a business; however, it’s based on the vendor and the way the offer is priced.
  • Test Type: Unlike basic unauthenticated application tests, web application testing is mandatory for performing penetration testing. Web application testing typically involves a more in-depth application layer testing compared to a cheaper small external infrastructure scan. Furthermore, it depends upon the scope of the type of PCI test.

How do you choose a PCI Compliance Penetration Testing Vendor?

Selecting a qualified PCI DSS penetration testing service provider is vital for a thorough and compliant assessment of your Cardholder Data Environment (CDE). Ensure your chosen provider meets these criteria:

PCI Penetration Testing

  • Certifications and Qualifications: Seek providers with industry-recognised certifications, such as CREST, OSCP, OSCE, and CISSP, demonstrating their expertise and commitment to professional standards. Cyphere is a CREST-accredited penetration testing services provider with proven PCI DSS compliance experience.
  • Industry-Specific Experience: Opt for a provider familiar with your industry’s unique security challenges and regulatory requirements, ensuring a tailored approach to testing.
  • Reputation and References: Research the provider’s standing within the cybersecurity community, seek client testimonials, and request references for direct feedback. We happily provide customer references to validate our expertise and sector experience.
  • Comprehensive Methodology: Confirm using a documented, industry-recognised testing methodology, detailing the steps, tools, techniques, and reporting format for transparency and thoroughness.
  • Post-Testing Support: Prioritise providers offering risk remediation planning guidance, verification of fixes through retesting, and ongoing support to address new security concerns, ensuring your vulnerabilities are effectively mitigated.

By selecting a provider meeting these criteria, you’ll receive a comprehensive and objective PCI DSS penetration test, enhancing your security posture and compliance.

Best Practices for PCI DSS Penetration Testing

Adhering to these best practices will maximise the effectiveness of your PCI DSS penetration testing:

Best practices for PCI DSS Penetration Testing

  • Regular Testing: Conduct tests at least annually and after a significant upgrade to the CDE. More frequent testing, ideally every six months or quarterly, allows for faster identification and remediation of vulnerabilities.
  • Comprehensive Scope: Clearly define the CDE’s boundaries, including all relevant systems, networks, and applications, to ensure no critical systems are overlooked.
  • Risk-Based Approach: Prioritise testing based on a thorough risk assessment, focusing on high-risk areas and critical systems for efficient resource allocation.
  • Layered Security (Defence-in-Depth): Implement multiple security controls, combining preventive, detective, and corrective measures to create a resilient defence against attacks.
  • Thorough Methodology: Employ a documented and industry-recognised methodology encompassing automated and manual testing techniques to ensure comprehensive coverage.
  • Prioritised Remediation and Retesting: Address identified vulnerabilities promptly, prioritising by severity and potential impact. Retest to verify the effectiveness of fixes and ensure new vulnerabilities haven’t been introduced.
  • Communication and Collaboration: Maintain open communication with your security testing provider, establishing clear channels for updates, feedback, and collaboration.

Is your business responsible for conducting regular penetration tests? Get in touch to discuss your concerns or learn our approach to delivering excellent returns on your investments.

Frequently Asked Questions (FAQs)

What is PCI penetration testing?

PCI penetration testing simulates cyberattacks against your cardholder data environment (CDE) to identify and exploit vulnerabilities before attackers can, validating your security posture.

How often should full penetration testing be performed for PCI DSS?

PCI DSS requires annual external penetration tests after significant upgrades or CDE changes. Internal and segmentation testing is recommended every six months.

Cyber attacks are not a matter of if, but when. Be prepared.

Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.

How do I test PCI compliance?

PCI testing involves vulnerability scanning, penetration testing, security audits, and completing Self-Assessment Questionnaires (SAQs).

Is penetration testing required for PCI DSS?

Yes, penetration testing is mandatory for PCI DSS compliance (Requirement 11).

How do I test PCI DSS?

Testing PCI DSS involves technical assessments (penetration testing, vulnerability scanning), policy reviews, and compliance documentation (SAQs, Reports on Compliance).

How often do companies conduct penetration tests as required by PCI DSS?

Companies must conduct external penetration tests annually and after significant CDE changes. Internal/segmentation testing is recommended bi-annually.

What is PCI compliance testing?

PCI compliance testing validates adherence to PCI DSS, including penetration testing, vulnerability scanning, audits, and documentation.

What is the minimum frequency for PCI DSS penetration testing?

The minimum frequency for external PCI DSS penetration testing is annually.

What is the industry standard for penetration testing frequency?

Industry best practice recommends more frequent testing (quarterly or bi-annually) than the PCI DSS minimum of annually, especially for high-risk organisations.

What does the PCI DSS provide guidance for?

PCI DSS provides guidance for protecting cardholder data, including requirements for network security, data protection, vulnerability management, access control, monitoring, and security policies.

Which security requirements are mandated by the PCI DSS?

PCI DSS mandates 12 key requirements covering network security, data protection, vulnerability management, access control, monitoring, testing, and security policies.

How much should a penetration test cost?

Penetration test cost depends on scope, complexity, and testing type. Typically for a medium sized network or a web application, it should cost around £5000-£8000. Contact providers for a tailored quote.

 

Meet Your Compliance Obligations Without the Guesswork

Our consultants guide you through ISO 27001, PCI DSS, UK GDPR, and sector-specific requirements with practical, audit-ready deliverables.

Trusted by 150+ UK orgs

Related Reads

Join 1000+ subscribers getting the best tips on cybersecurity, security management, and more!

You may opt-out at any time. Read our privacy policy.

Get in touch

No salesy newsletters. View our privacy policy.

How "Defensible" is your firm compared to UK peers?

Most SMBs and mid-market firms have “silent” gaps in their people, process and tech controls implementation. Take the 90-second maturity audit to see your percentile rank.