If your organization stores, processes, or transmits cardholder data, the Payment Card Industry Data Security Standard applies and with it, penetration testing requirements. Here is what the standard expects, who needs to comply, and how to scope an engagement that satisfies your assessor and actually improves security.
Does PCI DSS Require Penetration Testing?
Yes. PCI DSS Requirement 11.3 mandates penetration testing of in scope systems and networks. The goal is to verify that security controls would resist real world attacks, not just pass a checklist. So you need both vulnerability management and periodic penetration testing by qualified testers.
Who Must Comply?
Any entity that stores, processes, or transmits cardholder data or sensitive authentication data is in scope for PCI DSS. That includes:
- Merchants.
- Service providers that handle card data on behalf of others.
- Entities that could affect the security of the cardholder data environment.
Your level depends on card volume and other factors defined by the card brands. Your acquirer or PCI DSS Qualified Security Assessor can confirm your level and exact obligations.
What PCI DSS Says About Penetration Testing
Requirement 11.3 is the main one: penetration testing must be performed at least annually and after any significant change to the environment or applications. Key points:
- Scope: Testing must cover the CDE and any system or network that could impact the security of the CDE. That often means external and internal network testing, and application testing for in scope applications.
- Methodology: Testing should be based on a recognized approach and address threats relevant to the environment.
- Qualified tester: The standard expects testing to be performed by individuals with appropriate experience. Many assessors expect a formal report that documents scope, methodology, findings, and remediation.
- Significant changes: After major infrastructure changes, new system implementations, or significant application changes, additional penetration testing is required.
So in practice: at least one penetration test per year, plus tests after significant changes, with scope covering the CDE and connected systems and applications.
What Should Be Tested?
Typical scope for PCI DSS aligned penetration testing includes:
- Network layer testing: External and internal penetration testing of in scope segments.
- Application layer testing: Application penetration testing of custom and critical applications that handle or could impact cardholder data.
- Segmentation testing: If you rely on network segmentation to reduce scope, penetration testing should verify that an attacker cannot pivot from out of scope systems into the CDE.
Your exact scope should be agreed with your QSA and your penetration testing provider so the report and methodology align with what the assessor will expect.
Deliverables Assessors Typically Expect
To support your PCI DSS assessment, the penetration test report usually needs to:
- Define scope and methodology.
- List findings with severity, evidence, and impact.
- Include remediation recommendations and retest results for findings.
- Be performed by testers with relevant qualifications.
Discuss report format and timing with your QSA early so your penetration testing services provider can align deliverables.
Timing: Annual and After Significant Changes
- Annual: Plan at least one full scope penetration test per year. Many organizations tie it to their ROC cycle so the test is current when the assessor reviews it.
- After significant changes: Treat significant as anything that could change the attack surface or controls of the CDE: new data centers, major upgrades, new applications or APIs that touch card data, or major network changes. When in doubt, check with your QSA and err on the side of testing.
Skipping the after significant change test can lead to a finding during your formal assessment.
How This Fits With the Rest of Your Security Program
PCI DSS penetration testing is one piece of a broader program:
- Vulnerability management: Regular scanning and remediation; penetration testing and vulnerability scanning complement each other.
- Secure development and change management: Secure coding, code reviews, and application security reduce the number of issues that show up in a pen test.
- Incident response and monitoring: Strong detection and response do not replace penetration testing but help you react when something does get through.
Treat the annual penetration test as a validation of your controls, not as the only security work you do.
Summary
- PCI DSS requires penetration testing for the CDE and in scope systems.
- Testing must be at least annual and after significant changes, by qualified testers, with a clear scope and methodology and a report that assessors can use.
- Scope should cover network and application layers and segmentation if you rely on it; align with your QSA and your provider.
- Pair penetration testing with vulnerability management and secure development for a complete approach.
If you need help scoping a PCI DSS aligned penetration test or want a report format that fits your assessor’s expectations, contact us to discuss your environment and timeline.