PCI Penetration Testing

The March 31, 2024, deadline for PCI 4.0 has already passed, and organizations must be updated with the new regulation. One component of PCI DSS compliance is penetration testing, as outlined in Requirement 11 of the Payment Card Industry Data Security Standard (PCI DSS). Version 4 requires more documentation about methodology and processes than ever before.

The good news is that penetration testers will likely see an uptick in demand, which means more revenue! 

Pen testing is mandated for all organizations involved in the storage, processing, and/or transmission of cardholder data. A penetration test is not an automated scan. As such, a comprehensive understanding of the requirements is required.

PCI Penetration Testing

Goals of PCI DSS Penetration Testing

The primary objectives of PCI DSS penetration testing within the context of PCI DSS compliance are twofold:

  1. Assessing Unauthorized Access: Determine if and how malicious users could gain unauthorized access to critical assets, including systems, files, logs, and cardholder data.
  2. Validation of Controls: Confirm the implementation and effectiveness of PCI DSS-mandated controls, including scope definition, vulnerability management, segmentation, and methodology.

Types of Penetration Tests

There are three primary types of penetration tests:

  • Black-box: Conducted without prior information provided by the client.
  • White-box: The client provides full network and application details.
  • Grey-box: The client provides partial information.

For PCI DSS compliance, white-box and grey-box assessments are typically preferred because they yield more accurate results and comprehensively evaluate the security environment.

Penetration Test vs. Vulnerability Scan

While PCI compliance penetration testing and vulnerability scanning are essential for security assessment, they have different purposes. Let’s break the two concepts down in the following table:

AspectPenetration TestVulnerability Scan
PurposeIdentify ways to exploit vulnerabilities to circumvent or defeat security features.Identify, rank, and report vulnerabilities that may result in a compromise.
FrequencyAt least annually and upon significant changes.At least quarterly and after significant changes.
MethodologyManual process with possible use of automated tools.Primarily automated tools with manual verification.
ReportsDescription of specific vulnerabilities and potential exploitation methods.Potential risks posed by vulnerabilities are ranked according to severity.
WhenConducted at least annually and upon significant changes.Conducted quarterly and after significant changes.
HowComprehensive testing, including manual verification.Automated scanning supplemented with manual review.
ScopeEntire Cardholder Data Environment (CDE) perimeter and critical systems.Scanned systems and assets based on defined criteria.
DurationEngagements may last days or weeks, depending on scope.Relatively short, typically several seconds to minutes.
ToolsA mix of manual and automated tools tailored to the environment.Automated scanning tools with limited manual verification.

Scope of the PCI Penetration Test

According to PCI DSS Requirement 11.3, penetration testing encompasses the entire Cardholder Data Environment (CDE) perimeter and critical systems. This includes both external (public-facing) and internal (LAN-LAN) attack surfaces. The scope may extend to cardholder data locations, critical network connections, access points, and resources utilized by personnel accessing cardholder data.

Qualifications of a Penetration Tester

Ensuring the competence and independence of the individuals or teams conducting penetration testing is crucial for its effectiveness. Let’s explore the qualifications required for a penetration tester:


Certifications serve as indicators of a penetration tester’s skill level and competence. While not mandatory, they demonstrate a common body of knowledge. Some common certifications include:

  • Offensive Security Certified Professional (OSCP)
  • Certified Ethical Hacker (CEH)
  • Global Information Assurance Certification (GIAC) Certifications (e.g., GPEN, GWAPT, GXPN)
  • CREST Penetration Testing Certifications
  • Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification

Note: The PCI SSC does not validate or endorse these certifications.

Organizational Independence:

Penetration testers must be organizationally independent from the management of the target systems. For example, suppose a third-party company conducts a PCI DSS assessment. In that case, they cannot perform the penetration test if they were involved in installing, maintaining, or supporting the target systems.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about PCI Penetration Testing

Version 4 Changes in PCI Compliance Testing

The transition to PCI DSS 4.0 brings about some changes in PCI pentest requirements. Let’s examine what has and hasn’t changed:

What Hasn’t Changed

  1. Frequency: Penetration testing requirements remain largely consistent with previous versions. Most merchants are still required to conduct an annual penetration test, while service providers must perform them biannually, with additional tests mandated after significant changes or security incidents.
  2. Testing Approaches: The framework for penetration testing, encompassing external black-box tests, internal tests from various network perspectives, and tests within the Cardholder Data Environment (CDE), remains unchanged.

What Has Changed

Customized Approaches

PCI DSS 4.0 introduces the concept of “customized approaches,” allowing entities flexibility in meeting individual requirements. This innovation enables organizations to tailor their penetration testing methodologies to their specific environments, potentially enhancing effectiveness and efficiency.

“The most significant innovation in PCI DSS 4.0 is the ability for entities… to choose ‘customized approaches’ for individual requirements.” – Lauren Holloway, PCI Security Standards Council

Stricter Requirements for Online Payment Pages and Web Apps

New requirements mandate the use of automated tools to detect and prevent attacks on web applications. This signifies a shift towards more proactive measures, necessitating active penetration testing of web apps, including application-program interfaces (APIs).

Greater Emphasis on Network Segmentation

PCI DSS 4.0 emphasizes network segmentation, providing extensive PCI penetration testing guidance for segmentation testing to confirm the isolation of systems with differing security levels. 

Access to Cloud Assets

The updated standard requires cloud service providers (CSPs) to support external penetration testing of their customers’ cloud assets. This change aims to facilitate pen testers’ access to cloud assets, ensuring comprehensive security assessments in cloud environments.

Documentation and Retention Requirements

PCI DSS 4.0 emphasizes documenting and retaining records related to penetration testing methodologies, findings, remediation efforts, and verification tests. Additionally, it mandates interviews with involved personnel as part of the verification process, enhancing transparency and accountability.

Summing it Up

While the basic framework of penetration testing for PCI compliance remains intact, PCI DSS 4.0 introduces notable changes aimed at enhancing the effectiveness and comprehensiveness of security assessments, particularly in the realms of web application security, network segmentation, and access to cloud assets.

With Centraleyes’s support for PCI DSS 4.0, organizations can confidently address the challenges posed by the latest standard version. 

Tackling PCI DSS 4.0 with the Centraleyes platform offers businesses a robust framework to navigate the complexities of compliance, ensuring a resilient defense against cyber threats while fostering trusting relationships with your consumers and clients.

For more information about Centraleyes and its PCI DSS 4.0 compliance capabilities, visit

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about PCI Penetration Testing?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content