A Guide to PCI Penetration Testing: What You Need To Know

A Guide to PCI Penetration Testing: What You Need To Know

  • September 27, 2022

Accepting payment cards makes transactions convenient for consumers, but it also means that your company needs to comply with Payment Card Industry Data Security Standards (PCI DSS) to protect customer data. To be PCI DSS compliant, organizations must perform PCI penetration testing annually. 

PCI penetration testing is a simulated attack used to identify and exploit vulnerabilities that could give cyber criminals unauthorized access to information. The exercise, also referred to as a pen test, reveals whether your system protects cardholder data and what improvements are necessary to keep this information safe.

In this article, we explain what exactly PCI penetration testing is, how it’s different from regular pen testing, and the test components and processes you need to know. 

Already have a PCI pen test report? Jump down to our penetration test report checklist for help evaluating its quality. 

What is PCI DSS penetration testing?

A penetration test is an exercise where a hired third party launches a simulated attack on your systems to discover areas your organization can improve its information security. A PCI penetration test specifically evaluates the security of your card-processing ecosystem — from your internal infrastructure and applications to external systems connected to public networks. 

PCI penetration testing is a requirement of maintaining PCI compliance, and noncompliance can result in legal penalties or loss of payment card processing privileges. Organizations must run a PCI penetration test at least once a year or after any major systems updates.

What is the difference between a PCI pen test and a regular pen test?

Compared with a regular pen test, PCI pen tests have more specific guidance on the minimum amount of vulnerabilities to consider such as injection flaws and buffer overflows. The testing methodology also specifically requires application-layer and network-layer testing of all internal and external systems and risks.

How is a penetration test different from a vulnerability scan?

Although PCI penetration testing may include a vulnerability scan, they’re not the same thing. A vulnerability scan focuses on finding, prioritizing, and reporting vulnerabilities that exist in a system. A PCI penetration test’s main goal is to exploit those vulnerabilities and improve your security system. 

Refer to the table below to find a breakdown of the major differences between a vulnerability scan and penetration test.

Who typically performs a PCI DSS penetration test? 

Companies can perform a PCI penetration test by hiring a third party or by using a qualified employee for internal penetration testing, as long as neither are involved with the management of any systems targeted by the test. When identifying a qualified penetration tester, organizations should consider whether the pen tester has appropriate past experience and holds a penetration testing certification. 

If you’re considered a Tier 1 merchant, annual PCI penetration testing is mandatory. Even if you’re not a Tier 1 Merchant, it’s required for e-commerce-only merchants who use a third party to handle cardholder data or eligible service providers under PCI SAQ-D

PCI penetration test components

Several main components comprise a PCI penetration test: the scope, application-layer and network-layer security testing, segmentation checks, and social engineering tests.


When performing a PCI pen test, the cardholder data environment (CDE), its internal and external perimeter, and any critical systems are included in the scope of the test. 

  • Internal CDE perimeter: Any security controls, pathways, or critical systems connected to the internal network of the organization (e.g., access paths to stored cardholder data)
  • External CDE perimeter: Any public-facing services, remote access points, and critical system components that are connected to public network infrastructure (e.g., VPN connections, dial-up)
  • Critical systems: Any systems that process or protect cardholder data (e.g., firewalls, authentication servers)

Application-layer and network-layer testing

An application- and network-layer penetration test identifies any security flaws that arise from insecure application design and coding. Pen testers also check for cybersecurity defects that stem from insecure configuration, implementation, usage, or maintenance of organization-specific software.

Segmentation testing

Segmentation controls block out-of-scope systems from communicating with the CDE. A segmentation check tests that these controls are operational and effectively isolate the CDE from other systems. This check is important because it prevents hackers from being able to impact the CDE if they gain control of another system. 

Social engineering

Any attempt to access information or bring in unauthorized software into the CDE by manipulating users is an act of social engineering. Social engineering tests aim to identify risks that may arise from users following improper procedure. PCI DSS doesn’t require a social engineering test, but it’s often included in pen test best practices. 


The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

Download ebook

Types of PCI DSS penetration tests

Three types of penetration tests exist: black-box, white-box, and grey-box. Typically, PCI DSS penetration tests are most successful as white- or grey-box security assessments.

  • Black-box assessments are performed without any prior information given by the organization to the pen tester. 
  • White-box assessments are when the organization provides complete and detailed information of the network and all web applications prior to testing.
  • Grey-box assessments are the middle ground between black-box and white-box, and the client only offers partial information about the target systems to the pen tester.

The PCI penetration test process

A successful PCI pen test consists of five steps: scoping, information gathering, evaluation, reporting, and retesting. You can find an overview of each step below.

It’s also important to note that in PCI DSS guidance, these steps are broken down into three phases: pre-engagement, engagement, and post-engagement. Pre-engagement consists of scoping and information gathering, engagement encompasses the evaluation step, and post-engagement is made up of reporting and retesting.

1. Scoping

Prior to testing, the pen tester and organization identify the test’s scope based on PCI DSS requirements. The PCI DSS specifies that the scope of a PCI pen test should include the entirety of the cardholder data environment, which involves any “people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”

2. Information gathering

In this stage, the organization and pen tester identify all network assets that are within the scope of the test. Specifically, details on the types of testing, how to perform testing, and the systems being targeted are outlined before the assessment begins. 

3. Evaluation

Using the predetermined scope, all identified systems are manually tested for vulnerabilities. Pen testers will use a combination of application-layer, network-layer, and network segmentation checks in this phase. 

If the tester finds cardholder data during the test, they should notify the client right away and document their findings. After this, the tester can use post-exploitation tactics to escalate the attack and attempt to gain access to more resources.

4. Reporting 

After the test is complete, the pen tester will compile a comprehensive report on the test results. This report clearly documents the methodology, any problems encountered, and evidence of security vulnerabilities and their exploitability. 

5. Retesting

After your organization completes remediation of any identified security flaws, the pen tester should conduct a retest to see if all original vulnerabilities are now secure. The scope of the retest depends on the level of significant changes made to the security environment.

Penetration test report evaluation tool

If your organization has already received a penetration test report, it’s helpful to have some guidance on how to interpret the report and its quality. Use the following penetration test report evaluation checklist to help evaluate the completeness and depth of your report.

How Secureframe can help

Maintaining PCI DSS compliance is crucial if you want to keep your payment card processing privileges. Fulfilling annual PCI DSS penetration testing requirements is an essential part of continuous compliance, but you don’t need to carry the load of achieving and maintaining PCI DSS certification alone. 

Secureframe streamlines the PCI DSS compliance process by integrating your tech stack and automating technical controls. We also partner with external penetration testing providers. Looking to accelerate your PCI DSS compliance? Schedule a personalized PCI DSS demo today.