PCI DSS Compliance Penetration Test

PCI DSS (Payment Card Industry Data Security Standard) Requirements 11.4.1 and 11.4.2 state that internal and external penetration testing must be performed at least annually and after any significant changes – for example, infrastructure or application upgrades or modifications, or after installing new system components. Requirement 11.4.5 requires penetration testing of network segmentation controls.

Conducting penetration tests helps provide a crucial end-of-state check and can be used in the early stages of developing new processing systems to identify potential risks to cardholder data.

Our CREST-accredited team of penetration testers will be able to advise you on how PCI DSS testing requirements apply to your organisation. 

Speak to an expert

What is a PCI DSS compliance penetration test?

Performing penetration testing on your security systems, public-facing devices and systems, databases and other systems that store, process or transmit cardholder data means that you are attempting to discover your vulnerabilities before cyber criminals do.

The goals of penetration testing are to:

  • Determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data; and
  • Confirm that the controls required by the PCI DSS are in place and effective.

Penetration testing is essentially a controlled, ethical form of hacking that involves assessing your chosen systems for any potential weaknesses. These weaknesses could result from inadequate or improper system configuration, known or unknown hardware or software flaws, and operational weaknesses in process-based or technical countermeasures.

Did you know?

Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report shows that security testing retains its traditional place at the bottom of the priority list, with only 71.9% of organisations achieving full compliance.

Payment card data is a prized commodity for cyber criminals and is usually the main target in attacks against commercial environments. The 2017 Trustwave Global Security Report identified that more than half of the incidents investigated targeted payment card data.

Benefits of a PCI compliance penetration test

Our penetration tests will help you to:

  • Defend the target environment from the perspective of an outsider with access only to untrusted networks;
  • Defend the organisation from an insider with access to trusted networks, but not necessarily from within the cardholder environment itself;
  • Secure the organisation against weaknesses in applications such as SQL injection and cross-site scripting; and
  • Test and prove that any segmentation controls and methods are operational and effective.

Is a PCI compliance penetration test right for you?

PCI DSS compliance, especially for RoCs (Reports on Compliance) and some SAQs (self-assessment questionnaires), requires internal and external vulnerability scans, and frequent penetration tests.

Annual* penetration test (Level 2)

Req. 11.4


SAQ D for merchants

SAQ D for service providers++





Quarterly wireless network analysis

Req. 11.2


SAQ D for merchants

SAQ D for service providers


Annual web application vulnerability scan1

Req. 6.6


SAQ D for merchants

SAQ D for service providers



* Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
++ For service providers, any network segmentation must be tested every six months.
1 Or after any change to the application. Applicable if developing own applications or using a third-party non-PCI-certified web application.

Our engagement process

Our CREST-accredited penetration testers follow an established methodology based primarily upon the OSSTMM (Open Source Security Testing Methodology Manual) and OWASP (Open Web Application Security Project) Top 10 Application Security Risks. This approach will emulate the techniques of an attacker using many of the same readily available tools.

  1. Scoping: Before testing, our account management team will discuss your PCI compliance assessment requirements for your internal network to define the scope of the test.
  2. Reconnaissance: The tester will enumerate your network assets within the defined scope of the CDE (the technology that can “store, process, or transmit cardholder data or sensitive authentication data”, and any technology that can affect its security).
  3. Assessment: Using the information identified in the initial phase, we test the network and applications for potential vulnerabilities. 
  4. Reporting: The test results will be fully analysed by an IT Governance certified tester and a full report will be prepared that describes the approach and findings, and that shows a logical flow through the penetration test steps to provide evidence to your appointed QSA and/or stakeholders.
  5. Re-test: We can provide access to our testers and the raw test data to support and expedite remediation. We can also retest your systems so that you can be sure all identified issues have been successfully resolved.

How IT Governance can help you

We make penetration testing easy to understand and quick to purchase.

Choose the penetration test that meets your budget and technical requirements.

We produce clear reports that can be understood by engineering and management teams alike.

Our CREST-accredited penetration testing services give you all the technical assurance you need.

Get a quote for our PCI compliance penetration test

Our team of experts are available to discuss your penetration testing needs and can help you decide which of our testing services best suits your organisation. Get in touch with us today.

SAVE 25%