PCI DSS and penetration testing

February 5, 2024  |  Clint Harris


PCI DSS (Payment Card Industry Data Security Standard) is a set of security controls created to ensure all companies that accept, process, store or transmit credit card data maintain an audit-ready environment. Version 4.0 was published in March 2022; organizations required to be compliant have until March 31, 2024, when compliance must be complete.

The most noteworthy upgrades in PCI DSS version 4.0 to Requirement 11 which are applicable to all organizations are that vulnerability scans must be conducted via authenticated scanning, and that all applicable vulnerabilities must be managed. This eliminates organizations from overlooking vulnerabilities, and selective remediation.

The PCI DSS requires penetration testing (pen testing) and vulnerability scanning as part of its requirements for compliance, to keep systems secure and to protect payment cardholder data. Pen testing must take place for any organizations or entities who store, process, or transmit cardholder data in any capacity.

Payment card service providers must conduct PCI pen tests twice annually and vulnerability scans four times annually, in addition to performing additional assessments when any significant modifications to systems occur. Specifically, organizations that process cardholder information via web applications could need additional tests & scans whenever significant system modifications take place.

PCI pen tests are security assessments that must be conducted at least twice annually and after any significant change to address vulnerabilities across all aspects of the cardholder data environment (CDE), from networks, infrastructure, and applications found inside and outside an organization's environment. By contrast, vulnerability scans perform high-level tests that automatically search for vulnerabilities with severe scores; external IP addresses exposed within CDE must also be scanned by an approved scanning vendor at least every three months and after any significant change for potential security threats and reported on accordingly.

PCI DSS sets forth specific guidelines and requirements for companies required to run regular PCI pen tests and vulnerability scans in accordance with PCI DSS. System components, including custom software and processes, must be regularly evaluated to maintain cardholder data over time - particularly after changes are introduced into the system. Service providers must conduct PCI pen tests every six months or whenever significant modifications to their systems take place, or whenever any major upgrades or updates take place. Significant changes that would necessitate further pen tests include any addition or change to hardware, software, or networking equipment; upgrading or replacing of current equipment with any changes; storage flow changes which affect cardholder data flow or storage; changes which alter boundary of CDE or scope of PCI DSS assessment; infrastructure support such as directory services monitoring logging changes as well as changes involving third-party vendors or services that support CDE.

Vulnerability scanning is a crucial element of PCI DSS requirements for organizations. At least every 90 days, organizations must conduct internal and external PCI vulnerability scans with passing scan results (internal must not contain high-risk vulnerabilities that compromise cardholder data storage or processing; external must be free from vulnerabilities assigned a CVSS base score of at least four; for external scans that fall between CVSS base scores 4.0-4.99 are accepted); only scans with severity level scores between zero to three constitute passing scores.

Pen testing and vulnerability scanning are integral parts of PCI DSS compliance and an effective means of mitigating vulnerabilities on systems that process sensitive data. With our vulnerability and threat management services, penetration testing services to test an organization's network security posture, web application testing as well Penetration Testing as a Service (PTaaS), we can help achieve and sustain compliance.

The 6 steps of a pen test

1) Scoping

In this first step, the target organization works with the pen testing team to define the scope of the pen test, which includes the entire CDE perimeter (both internal and external), and any critical systems. It could also include access points, critical network connections, applications that store, process, or transmit cardholder data, and other locations of such data. Any systems that don’t connect to the CDE would be considered out-of-scope for this pen test.

2) Discovery

Once the scope is defined, the pen testing team gets to work by identifying your network assets within the specified scope. In this stage, the testing team gathers as much information on the target company by performing different types of reconnaissance on the in-scope environment.

3) Evaluation

Using the information gathered so far, the tester now attempts to enter your system through the discovered entry points and uncover potential security vulnerabilities that may be lurking behind your networks and applications.

4) Reporting

The testing team compiles a complete and comprehensive report that includes the details of the test methodology, highlights the security flaws discovered, and other relevant information.

5) Remediation

The remediation team mitigates all noted exploitable vulnerabilities and security weaknesses. Keep in mind that the organization’s risk assessment as defined in PCI DSS 6.3.1 should be considered during this step.

6) Retest

The pen test process is repeated regularly and/or every time there is a change in your infrastructure. Retesting is the best way to ensure that your previous remediation efforts are effective.


We offer consulting services for PCI-DSS compliance and pen testing. Start here to see the broad scope of cybersecurity services we offer.

Share this with others

Get price Free trial