If your company handles and processes card payments, you must comply with rules set by the Payment Card Industry Data Security Standard, or the PCI DSS. These regulations ensure that your IT infrastructure keeps customer card information secure at all times.
One of the best ways to adhere to PCI DSS is to run PCI penetration testing, as it identifies vulnerabilities and weaknesses in your existing security posture.
By mimicking hacking techniques, penetration testers can make security recommendations to help inform a more responsive and reliable defense strategy.
In this guide, we’ll explore what PCI penetration testing involves, how it helps you adhere to PCI DSS compliance, and how you can get started.
What is PCI Penetration Testing?
PCI penetration testing is a security assessment that helps you find weaknesses in your information security that might put card data at risk.
This vulnerability assessment is inspired by the specific requirements of the PCI DSS, set by the PCI Security Standards Council, or the PCI SSC.
Specifically, penetration testers use ethical hacking techniques to:
- Evaluate the strength of your data security and security controls (such as the functionality of your firewall and robustness of your operating systems)
- Find hidden flaws that hackers can exploit for unauthorized access
- Ensure your security posture adheres to compliance standards
- Assess your incident response strategy against different cyber attack vectors
- Reduce the possibility of your network getting hacked
- Provide fresh insight and perspective into your operation’s security standards and internal resource management
PCI penetration testers specifically develop hacking plans that account for sensitive card data – how it is processed, and where it is stored.
For example, an external penetration test might involve inserting code into web forms or running dictionary attacks on login screens.
An internal penetration test, which takes place within a company’s internal network, might test physical security measures and attempt social engineering.
No two penetration tests are the same – and when it comes to protecting your card data in line with PCI DSS, you might choose penetration testing services to focus on a specific area.
Regardless, as experts in PCI penetration testing, we typically advise merchants who process debit and credit card payments to run penetration testing at least once a year. This ensures you're always up to speed with the latest advancements in security technology and hacking behavior.
Alongside a PCI penetration test, we also recommend submitting your network infrastructures to automated vulnerability scanning, which can pick up on potential flaws.
What is the Difference Between PCI Penetration Testing and Regular Penetration Testing
While both PCI penetration testing and regular penetration testing involve ethical hacking to find vulnerabilities, PCI penetration testing is specifically designed to meet the compliance standards of the PCI DSS. We believe that it's important to understand the differences so that your company benefits from both when necessary. Here, we look at the main features of both.
|
PCI Penetration Testing | Regular Penetration Testing |
---|---|---|
Purpose and Scope | Focuses on evaluating systems that store, process, or transmit cardholder data, also known as the Cardholder Data Environment (CDE). | Targets any part of a network or application, regardless of regulatory requirements. |
Regulatory Requirements | Must align with PCI DSS requirement 11.4 and related clauses (e.g., internal, external, segmentation testing). | Not bound by compliance requirements unless specifically scoped. |
Testing Frequency and Timing | Testing at least annually or after significant changes to infrastructure. | Scheduled on an ad hoc basis depending on organizational needs or risk appetite. |
Methodology and Documentation | Must follow an approved methodology and include detailed documentation for audits, including test scope, techniques used, findings, remediation steps, and retesting. | May not require as formal a report unless driven by internal policies. |
Tester Qualifications | Requires qualified assessors (e.g., QSA or certified ethical hackers with PCI experience). | May be conducted by in-house teams or third parties without specific PCI expertise. |
Common Tools Used in PCI Penetration Testing
Open-source tools play a major role in conducting PCI penetration testing efficiently and effectively. Here are several widely used tools that help assess vulnerabilities in line with PCI DSS requirements:
- Nmap
A network scanning tool used to discover hosts and services on a network, often used in the reconnaissance and scanning phases of testing. - Nikto
A web server scanner that tests for over 6,700 potentially dangerous files, outdated server versions, and other issues. - John the Ripper
A fast password cracker used for testing password strength during internal testing and credential brute force attempts. - OWASP ZAP (Zed Attack Proxy)
An open-source web application security scanner that helps find security vulnerabilities during development and testing.
These tools are also frequently leveraged by penetration testers to meet PCI DSS testing requirements without depending on commercial or competitive platforms.
What Are the Penetration Testing Requirements Under PCI DSS 4.0?
Under PCI DSS 4.0, organizations that process cardholder data must perform internal (11.4.2), external (11.4.3), and segmentation (11.4.5) penetration testing to identify and mitigate vulnerabilities within and around their Cardholder Data Environment (CDE). These tests must follow a documented methodology, be conducted annually or after significant changes, and include proper scoping, reporting, and remediation. Additional requirements include regular vulnerability scans, wireless security testing, and web application assessments to maintain full compliance.
But what do all these numbers mean in practice?
- Requirement 11.4.2 refers to internal pen testing measures that submit networks, systems, and apps behind the scenes. Specifically, this testing standard ensures that infrastructures are well supported against potential insider threats and hackers who gain access.
- Requirement 11.4.3 refers to a standard in external penetration tests where companies must submit any networks, servers, and applications that face the public for evaluation.
- Requirement 11.4.5, finally, refers to testing segments. Segment testing, specifically, requires a firm’s CDE (cardholder data environment) – which manages card data and other financial information – to be submitted to evaluation.
- This means it’s often prudent to pen test your CDE separately from your wider network.
PCI DSS requirement 11.4, in general, clearly determines:
- Who can perform penetration tests
- When tests can be performed
- What the scope of such tests are (e.g., cardholder data environments, access points, and connected systems in scope)
- What’s considered out-of-scope
- What the specific penetration testing methodology involves (e.g., what’s documented and what each step involves)
- Which components and tools are used (e.g., application-layer testing and segmentation controls)
- How tests are reported and documented
- How remediation of security weaknesses, if any, are to be recommended
Beyond these points, any companies wishing to be compliant under PCI DSS 4.0 should:
- Undergo wireless security testing as per requirement 11.2
- Run external and internal vulnerability scans and/or ASV scans regularly, as per requirement 11.3
- Submit any public-facing APIs and web applications to penetration testing under requirement 6.4
- Submit to penetration testing at least once a year
- Retest after significant changes are made to the CDE and/or general infrastructure
- Run segmentation tests at least twice a year
This can seem like a lot to take in and remember. However, when working with an approved scanning vendor and an expert penetration tester, you can always ensure someone has your back on the finer details.
Key Differences Between PCI DSS 4.0.1 and PCI DSS 3.2.1
PCI DSS 4.0.1 introduces several important updates over version 3.2.1, including stronger password requirements, stricter access controls like mandatory MFA, and clearer assignment of roles and responsibilities. The new version also emphasizes flexibility in meeting security objectives, enhances protection against emerging threats like e-skimming, and requires ongoing compliance efforts. Additionally, it mandates better documentation of system architecture to support clearer assessments and stronger data protection practices.
Let’s briefly break down the main changes to PCI DSS requirements made between PCI DSS 3.2.1 and PCI DSS 4.0.1, the latest version of the compliance standard.
- Password security requirements have changed – companies now need to ensure phrases are at least 12 characters long, for example.
- Companies now need to be explicitly clear on roles and responsibilities under each requirement – and additional requirements such as e-skimming and phishing protection have been added.
- PCI DSS 4.0.1 now requires companies to add additional access and authentication controls, such as multi-factor authentication (MFA) – particularly applied to card data.
- 4.0.1 is also much more flexible regarding how companies can find security measures to ensure compliance.
- The latest compliance standards also explicitly guide users on encrypting and decrypting data, and establish that testing and compliance should be ongoing.
- A final key point raised in 4.0.1 establishes that firms should keep clearer documentation of their architecture so that it’s simpler to assess broader data management and encryption.
Penetration Testing Methodology
When conducting PCI penetration testing, it’s critical to follow a recognized methodology to ensure consistency, effectiveness, and compliance. Here are five industry-standard frameworks that penetration testers commonly use:
- OWASP Testing Guide
Focuses on identifying security vulnerabilities in web applications. Essential when testing public-facing e-commerce platforms that handle card data. - OSSTMM (Open Source Security Testing Methodology Manual)
A comprehensive framework that outlines how to assess operational security, ideal for evaluating PCI-relevant controls across internal and external networks. - NIST SP 800-115
A U.S. government-recommended guide that provides practical steps for planning and executing penetration tests, useful for regulated PCI environments. - PTES (Penetration Testing Execution Standard)
Offers a detailed process from pre-engagement to post-reporting, aligning well with PCI DSS's requirement for structured, well-documented testing. - ISSAF (Information Systems Security Assessment Framework)
A methodology that helps map discovered vulnerabilities to business risks—critical for prioritizing PCI-related remediation.
Each methodology provides a consistent approach to penetration testing and helps ensure that all required aspects of PCI DSS 4.0.1 are addressed.
Penetration Testing Process
The penetration testing process for PCI DSS compliance involves a structured series of steps to ensure the entire Cardholder Data Environment (CDE) and its connected systems are evaluated thoroughly. Here's a breakdown of the typical workflow:
Reconnaissance
This initial hase involves gathering intelligence about the target environment, such as identifying IP addresses, domains, system architecture, and public-facing assets. In a PCI context, this may include researching exposed e-commerce platforms, DNS records, or outdated software versions on payment portals.
Scanning
Testers use tools like Nmap and Nikto to scan the environment for open ports, exposed services, and outdated software. The goal is to map out the network and determine entry points to systems that may store or process cardholder data.
Vulnerability Assessment
Using both automated and manual methods, testers evaluate the network and systems for known vulnerabilities. In a PCI engagement, this step focuses on systems in the CDE and those connected to it—looking for weak configurations, unpatched software, or insecure APIs.
Exploitation
Here, ethical hackers attempt to exploit discovered vulnerabilities to gain access to sensitive systems or data—such as breaking into databases, bypassing authentication mechanisms, or capturing unencrypted cardholder data in transit.
Reporting
The findings are compiled into a formal penetration test report, which includes a summary of vulnerabilities, how they were exploited, risk ratings, and tailored recommendations for remediation. This report is required for PCI DSS audits and must be retained as evidence of compliance.
Post-reporting
Companies must act on remediation steps and schedule retesting if significant weaknesses were found. Retesting verifies whether identified vulnerabilities have been properly addressed, which is a requirement for PCI DSS validation.
What to Include in a PCI Penetration Test Report
A compliant PCI penetration test report must be detailed, actionable, and aligned with PCI DSS 4.0.1 guidelines. Here’s what it should include:
- Executive Summary
A high-level overview of the scope, testing methodology, key findings, and overall risk level—tailored for business and compliance stakeholders. - Scope Definition
Clear documentation of what was tested, including networks, systems, applications, the Cardholder Data Environment (CDE), and any in-scope third-party services. - Testing Methodology
A description of the methodology followed (e.g., OWASP, NIST), including tools and techniques used, and justification for their selection. - Vulnerability Findings
Each finding should include a detailed description, risk rating (e.g., critical, high, medium, low), potential impact, and how it was discovered. - Proof of Exploitation
Screenshots, logs, or command-line outputs demonstrating successful exploitation—especially when dealing with cardholder data systems. - Remediation Recommendations
Actionable steps to fix each issue, ideally prioritized based on risk level. This helps organizations prepare for retesting and close gaps quickly. - Retesting Requirements
Notes on which vulnerabilities require follow-up testing and verification, as per PCI DSS requirements. - Appendices
Include a full list of tools used, IPs tested, timestamps, and any technical logs that support findings.
Having a complete and accurate penetration test report not only helps fulfill PCI DSS obligations but also strengthens your overall security posture by offering a clear roadmap to remediation.
Who is Affected by PCI DSS?
PCI DSS affects businesses that hold and process card and cardholder information. Specifically, that might refer to e-commerce businesses, service providers, traditional merchant services, and SaaS businesses.
It’s good practice to follow PCI DSS if you handle card payments and are in any doubt over the data you store. Failure to maintain data security in line with PCI DSS could result in fines, reputational damage, and loss of customer data and support.
While navigating PCI security standards can be complex, they become much more manageable when you work with a professional cybersecurity expert and a verified PCI QSA, or Qualified Security Assessor.
These qualified assessors will have specific certifications to thoroughly test critical systems under PCI’s evolving standards, including at least one security and one audit certification. Some might, for example, even have a CEH or Certified Ethical Hacker certification.
How Long Will a PCI Penetration Test Take?
The average duration of a PCI penetration test is between days and weeks at a time. Unfortunately, there are no average or specific timescales – simply because the environment size and project needs always vary.
The length of time PCI DSS penetration testing takes will depend, too, on the type of testing methodology you opt for. For instance, if you choose black-box penetration testing, your tester approaches your infrastructure completely blind, with no prior knowledge of your processes.
That, typically, can be one of the most efficient pen testing routes – because there’s little in the way of prior research.
White-box penetration testing, meanwhile, provides ethical hackers with as much data as possible on a company's network and processes. It's a longer process, but one that's more comprehensive.
At VikingCloud, we support a white-box model that allows our team to dive deep into client security postures. We therefore carefully assess and advise you of any timescales involved at the very start of your project.
That goes for a specialized application penetration test or specific analysis of your system components – we want to be clear and concise with you from the get-go.
How Much Does PCI Penetration Testing Cost?
You can expect PCI penetration testing to cost anywhere between $5,000 and $40,000. Again, this is a factor that can vary depending on the scale of the environments involved, and your exact requirements needed from testers and hackers.
Again, before we get started with any pen testing projects, we’re always upfront and clear on cost expectations with our clients.
How Often Does PCI Require Penetration Testing?
PCI states that firms should run penetration tests at least once a year, or after changes that directly affect how card information is held and processed.
However, the regulations also expect you to run segmentation tests at least twice a year, too. We recommend following these standards regardless of whether or not you process card information.
Contract a Reliable Penetration Testing Firm
The methodologies used by penetration testing firms vary depending on experience and outlook. At VikingCloud, we bring together a team of seasoned experts who keep abreast of the latest data security developments – and we’re passionate about keeping you and your cardholders safe.
When looking for a penetration testing provider, you might find that some subscribe to different methodology models. These are templates and frameworks set up to help guide PCI pen testing practice – so that all the correct boxes are ticked.
For instance, some testers might observe the OWASP (Open Web Application Security Project) framework and its "Top Ten."
Or, some might follow the OSSTMM, or the Open Source Security Testing Methodology Manual, or the NIST (National Institute of Standards and Technology) Special Publication.
If this all sounds a little overwhelming, don’t worry. Our team is on hand to guide you through a thorough network penetration test that keeps you compliant and your customers’ data safe at all times.
Get in touch today for a consultation, and let's tighten up your security posture with ethical hacking.