PCI DSSNovember 21, 2022What is PCI DSS Pentesting?

Payment Card Industry Data Security Standard (PCI DSS) is a set of rules designed to keep credit cardholder information safe. It is an operational prerequisite for businesses that handle or store cardholder data. Your company will need penetration testing for PCI DSS compliance to ensure cardholder data is safe.

Companies that handle payment cards must follow the PCI Data Security Standards.

This means that-  
    • have a secure network 
    • protect the cardholder’s data  
    • manage vulnerabilities 
    • ensure strict access control measures, and  
    • monitor and test the networks regularly.   

What is PCI Pentesting? 

A penetration test is a type of cyber security evaluation that identifies, exploits, and assists in resolving vulnerabilities. PCI DSS penetration testing assesses an organization’s network infrastructure and applications from internal and external environments.

In addition to this, penetration testing is a manual process that is more in-depth than an automated vulnerability scan. Therefore, it is performed by industry experts. Penetration testers identify security flaws that automated scanners cannot detect and then, exploit them.

There are three types of penetration testing: 

  • Black-box assessments: The client doesn’t provide the tester with any information prior to the pentest. 
  • White-box assessment: The client just provides the tester with information related to the network and the application. 
  • Grey-box evaluation: The client provides information about the target security systems, but not all of it. 

White-box and grey-box assessments provide businesses with a deeper understanding of their environments. Client-provided preliminary information accelerates testing, saving time and resources.

What Actually Needs to be Assessed? 

PCI DSS penetration testing covers an organization’s entire CDE, including systems that may endanger its security.

A PCI pen test assists in identifying: 

  • Insecure configurations of the system and network 
  • Unsuitable access controls rogue wireless networks 
  • Programming weaknesses such as XSS and SQL injection 
  • Insufficient authentication and session management 
  • Errors in encryption 

How are PCI DSS Pentests Conducted?  

The following Five steps comprise a PCI DSS penetration test: 

  • ScopingBefore testing, the penetration tester will evaluate PCI DSS compliance requirements for your internal network to determine the scope of testing.
  • Discovery – The tester will identify your network’s assets within the parameters of the CDE. 
  • Evaluation – Using the information gathered in the preceding step, the network and applications are evaluated for potential security flaws. 
  • ReportingThe pentester will evaluate results, create a report explaining the methodology and findings, and present the information to the QSA or other stakeholders as evidence.
  • Retest – The processes are retested to ensure that all issues discovered have been resolved successfully. 

Why should you have Pentesting? 

The majority of systems are designed, constructed, and maintained by personnel with minimal or no professional security experience. Therefore, a security expert who has been trained in the detection and identification of system flaws conducts the penetration test. The resulting report can help you fix vulnerabilities before an actual attacker exploits them. 

Every six months, businesses are required by PCI DSS to conduct security assessments and segmentation tests. In addition, reviews of these controls should be carried out in case of any significant changes. 

What are the Key Requirements of PCI DSS Pentesting? 

PCI DSS mandates penetration tests for CDE’s network and application mechanisms, critical components that may jeopardize CDE security, and the entire CDE perimeter. Moreover, testing to allow for the accurate segregation of the cardholder data environment from external systems. Pentesting, combined with scanning for internal and external vulnerabilities, satisfies most of PCI DSS Requirement 11, which mandates regular testing of security processes and systems.

The perimeter of CDE and all systems that could compromise CDE’s security must be the basis for testing. Systems that are isolated from the environment containing cardholder data are deemed outside the scope of a pentest. Strict firewall rules can eliminate false positives in the initial testing phase and reduce the cost of penetration testing.

Let’s take a look at the requirements.

Requirement 11.3

  • An organization must implement internal and External Pentesting methods. 
  • Third-party or internal pentesters must adhere to a set methodology aligned with NIST SP 800-115 and include appropriate tests (e.g., application layer).

Requirement 11.3.1 

  • External pentesting is required annually and after significant infrastructure or application changes or upgrades.
  • For instance, integrating a web server or upgrading the operating system.

Requirement 11.3.2 

  • This requirement shadows 11.3.1, and hence, organizations are obliged to perform internal pentests only. 
  • Companies must verify annual internal penetration tests or conduct them after major application or infrastructure changes.
  • Ensure qualified third-party or independent internal resources conducted the tests.

Requirement 11.3.3

  • Organizations must fix exploitable vulnerabilities found during pentests and test until the fixes are verified.  
  • Vulnerabilities are loopholes exploitable by third-party or internal resources to access cardholder data, company networks, etc. Examine penetration testing results to ensure the exploit’s root cause is fixed. 

 Requirement 11.3.4 

  • Organizations must review the testing methodology if segmentation was used to isolate cardholder data from other networks.  
  • When required, a qualified third-party or internal resource must perform annual testing on all segmentation tactics.  
  • This requirement validates effective segmentation methods, segregating in-scope systems that store cardholder data from out-of-scope systems.


  • It’s a service-provider-only requirement. Service providers are entities that process, transmit, or store cardholder data for a third party or can impact data security. 
  • If segmentation is employed, pentests must be conducted every six months, and after any updates or modifications to segmentation controls to confirm PCI DSS scope.
  • Ideally, this should be done as often as possible to keep the scope aligned with changing enterprise objectives.
  • If cardholder data is discovered during a pentest, the pentester must secure it per PCI DSS guidelines.


  • Organizations can conduct pentests internally if they can prove their methodology is sound and the pentester is independent of their network administrators. If these requirements aren’t met, a third-party must perform PCI DSS penetration testing. If a company wants to make sure that segmentation controls are working every year (requirement 11.3.4), checks must be done by someone who is not in charge of CDE control or implementation. 
  • By partnering with Redfox Security, you’ll get the best security and technical skills required to execute an effective and a thorough penetration test. Our offensive security experts have years of experience assisting organizations in protecting their digital assets through penetration testing services. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.
  • Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. With a combination of data-driven, research-based, and manual testing methodologies, we proudly deliver robust security solutions.
  • “Join us on our journey of growth and development by signing up for our comprehensive courses, if you want to excel in the field of cybersecurity.”

by Jyoshita

Content Writer | Redfox Security