PCI Penetration Testing: What You Need to Know

The PCI DSS compliance standard requires many businesses to undergo penetration testing on an annual basis. In this case, the pen tests are specifically aimed at protecting cardholder data, such as credit card numbers and security codes.

Not all businesses need to conduct penetration testing to become PCI compliant. There are four levels of compliance, depending on how many credit card transactions a business processes:

  • Level 1: Over 6 million credit card transactions per year
  • Level 2: 1 million – 6 million credit card transactions per year
  • Level 3: 20,000 – 1 million credit card transactions per year
  • Level 4: Under 20,000 credit card transactions per year

These figures vary slightly per credit card company, but they all closely match the brackets outlined above. Only level 1 merchants are required to conduct penetration testing. Other businesses that process credit cards still have to regularly conduct vulnerability scans, as we’ll discuss later in the article.

For now, let’s dig into the PCI penetration testing process.

How to Conduct a Penetration Test for PCI Compliance

1. Determine who will conduct the pen test

For most businesses, the first step is to hire an outside firm to conduct the pen test. While it’s possible for an employee to conduct the testing, PCI DSS dictates that they must be “organizationally independent” from the systems being tested. If an employee sets up or maintains the system, you’ll need to find someone else to do the pen test.

This standard also applies to any third party you bring in. In any case, for most businesses, it’ll be easier to find a qualified, independent pen tester by looking outside the organization.

PCI DSS encourages vetting a pen testing firm based on certifications, such as OSCP and CEH, as well as on past experience. References from past customers can be especially useful when considering whether or not to hire a pen tester.

There are many types of pen test, depending on what level of access the pen tester is given to start the test. PCI DSS requires pen testers have some access to internal systems, meaning PCI pen testing must be white box or gray box. If a pen tester focuses on black box pen testing, they might not be the best fit for purposes of PCI compliance.

2. Define the scope of the pen test

The next step is to determine the scope of the penetration test. For PCI compliance, this relates closely to the “cardholder data environment.” Commonly known as the CDE, PCI DSS defines this as “the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”

Per PCI requirements, the scope of the pen test must include the external and internal perimeter of the CDE, as well as any critical systems involved in processing or protecting cardholder data. These can include firewalls, authentication servers, or any other systems used to support or secure the CDE.

At the end of the day, the organization being tested bears the responsibility for accurately defining the scope of the pen test. It’s essential they work with the pen tester to ensure they’ve set the right boundaries, without excluding any systems that could impact the CDE.

At this point, the organization should give the pen tester any and all relevant documentation, such as network diagrams, lists of exposed ports at the CDE perimeter, and details concerning access control within the CDE. The more documentation you give them, the better they can scope and prepare for the penetration test.

3. Define rules of engagement & success criteria

Before the pen test can begin, it’s essential to define how the test will be conducted. Unlike a vulnerability scan, penetration testing entails not only identifying vulnerabilities, but exploiting them. Because pen testing simulates an actual attack, it’s crucial to set clear boundaries ahead of time.

These rules of engagement can include items such as when testing will be conducted, how issues will be communicated, and how sensitive data will be handled during and after the test. For many companies, it may make sense to create a staging environment so that testing does not impact the live operations of their business.

The company and the pen tester should also set success criteria: at what point is the penetration complete? By defining the finish line of a simulated attack, you can be clear on where the attack stops. These criteria will vary company-to-company, and should be agreed upon before testing can begin.

PCI DSS also requires the pen tester review any threats or vulnerabilities the company has encountered in the past 12 months. This can include reviewing previous pen test reports and examining the controls that have been put in place to mitigate prior issues.

4. Penetration testing engagement

Finally, it’s time to launch the pen test itself. The pen tester will leverage all their expertise and the tools in their kit to identify and attempt to exploit vulnerabilities. Typically, this breaks down to the following stages:

  1. Identify and document vulnerabilities.
  2. Plan simulated attacks to test these vulnerabilities.
  3. Launch these attacks, attempting to exploit these vulnerabilities.
  4. Document the results of these simulated attacks.
  5. Escalate attacks, building on previous breakthroughs.

Each of these stages will play out across multiple modes of testing. For one, the pen testers will test the application layer. Starting with credentials in hand, they will attempt to escalate their privileges and to access data beyond the bounds of authorization.

The pen testers will also test the network layer, starting with automated vulnerability scanning. Once the vulnerability scan identifies vulnerabilities in the network, the pen tester will manually attempt to exploit them.

Additionally, the pen testers will run a segmentation check to ensure that the CDE is properly cordoned off from other networks.

As part of the test, pen testers may engage in social engineering tactics, such as phishing. While this step isn’t strictly required for the sake of PCI compliance, PCI does encourage pen testers to consider common kinds of attacks. Because social engineering is such a staple among cybercriminals, many pen testers incorporate social engineering in their testing regimen.

In most cases, the penetration test does not stop when a vulnerability has been successfully exploited. Instead, the pen tester will attempt to escalate their privileges, or pivot to launch new simulated attacks that are now possible from where they are in the system.

5. Penetration test report

Throughout engagement, the pen testers document their findings. Once testing is finished, they compile them into a report aimed at helping the organization remediate any issues that have been identified.

This report will discuss how the test was conducted and list all vulnerabilities that were identified and exploited. This includes a severity score for each vulnerability, based on industry standards and independent risk assessments.

PCI DSS provides the following outline for penetration test reports:

  • Executive Summary
  • Statement of Scope
  • Statement of Methodology
  • Statement of Limitations
  • Testing Narrative
  • Segmentation Test Results
  • Findings
  • Tools Used
  • Cleaning up the Environment Post-Penetration Test

Of these sections, you’ll want to pay special attention to the findings: that’s where the pen testers will list the vulnerabilities they uncovered.

6. Remediation & retesting

With the pen test report in hand, the organization can now begin remediating any issues that were identified. That might entail reconfiguring or replacing insecure software, rewriting application code, or anything else that might shore up any vulnerabilities.

Once this has been done, the penetration tester re-tests these systems to see how they perform. If the first test necessitated fundamental changes, it may even be necessary to conduct a new pen test in full.

Penetration testing is an ongoing part of PCI compliance – there’s no “finish line”. PCI DSS requires level 1 merchant conduct pen tests “At least annually and upon significant changes.” That means once you’ve completed one test, you can mark your calendars fo the next one. And if you make major changes to the CDE in the meantime, you will need to embark on another pen test sooner rather than later.

Penetration Testing vs Vulnerability Scanning

Businesses that process under 6 million credit card transactions per year are not required to undergo a penetration test to comply with PCI DSS. However, the standard does require all businesses perform external and internal network vulnerability scans on a quarterly basis.

Unlike penetration testing, vulnerability scanning is a largely automated process – though it does require manual review once vulnerabilities have been identified. Additionally, vulnerability scanning usually does not entail launching simulated attacks; it focuses on identifying vulnerabilities, but does not go so far as to exploit them.

Per PCI DSS, businesses must hire an approved scanning vendor, or ASV, to conduct external vulnerability scanning. You can find a list of approved vendors here.

For more information, see our full comparison of pen testing and vulnerability scanning.


PCI’s standards exist for a very important reason: to protect credit card data from getting into the wrong hands. Regular penetration testing and vulnerability scanning are essential components of the PCI DSS standard. It can be a rigorous process, but it’s well worth it for the sake of protecting your business and its customers.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.