PCI DSS Penetration Testing

Manual, expert-led penetration testing that satisfies your PCI DSS requirements.

If your organisation processes, stores, or transmits cardholder data, PCI DSS mandates annual penetration testing of your Card Data Environment. Our CREST-accredited consultants deliver manual, expert-led testing aligned to the PCI DSS penetration testing requirements, producing reporting that your Qualified Security Assessor can use directly as part of your compliance process.

PCI DSS & Penetration Testing

What Does PCI DSS Require From Penetration Testing?

PCI DSS v4.0 sets out specific penetration testing requirements that apply to any organisation in scope for cardholder data security. The key requirements are:

Requirement 11.3.1: External penetration testing must be performed at least annually and after any significant infrastructure or application change. Testing must cover the entire CDE perimeter and critical systems.

Requirement 11.3.2: Internal penetration testing must be performed at least annually and after any significant infrastructure or application change, covering internal network infrastructure and applications within or connected to the CDE.

Requirement 11.3.4: Where network segmentation is used to isolate the CDE from out-of-scope systems, segmentation controls must be tested at least annually and after any changes to verify they are operational and effective.

PCI DSS v4.0 also explicitly requires that penetration testing is performed by a qualified internal resource or qualified external third party, and that testing follows an industry-accepted penetration testing approach. CREST accreditation is widely recognised by QSAs as meeting this qualification requirement.

PCI DSS Testing

What Our Testing Covers

The full scope of your PCI DSS testing will be determined by your QSA based on your CDE boundary and in-scope systems. We work closely with your QSA to confirm scope before testing begins and produce reporting in a format that feeds directly into your Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).

External Network Infrastructure

Testing of your internet-facing systems within or connected to the CDE, identifying vulnerabilities in perimeter devices, exposed services, and internet-facing applications that could provide an attacker with a route into your cardholder data environment. Aligned to Requirement 11.3.1.

> External perimeter enumeration and attack surface mapping
> Manual exploitation of vulnerabilities in internet-facing services
> Firewall and perimeter control assessment
>Attempted ingress and foothold establishment within the CDE boundary

Internal Network Infrastructure

Testing of your internal network environment within and connected to the CDE, identifying misconfigurations, lateral movement paths, and privilege escalation routes that could allow an attacker to reach cardholder data from inside your network. Aligned to Requirement 11.3.2.

> Internal network enumeration and service discovery
> Operating system and patch management assessment
> Active Directory configuration and privilege escalation testing
> Access control and user role assessment across CDE-connected systems

Application Testing

Manual testing of web and mobile applications within scope of your CDE, covering authentication and session management, access control, injection vulnerabilities, business logic flaws, and OWASP Top 10 risk classifications. PCI DSS explicitly requires that application testing goes beyond automated scanning, and our consultants conduct every assessment manually.

> Authentication, session management, and account controls
> Authorisation and access control across user roles
> Injection vulnerabilities across all in-scope input vectors
> Business logic flaws specific to payment and cardholder data flows

Segmentation Testing

Where network segmentation is used to isolate your CDE from out-of-scope systems, PCI DSS requires that the effectiveness of those controls is actively verified, not just assumed. Our segmentation testing confirms that your isolation controls are working as intended and that out-of-scope systems genuinely cannot reach your CDE. Aligned to Requirement 11.3.4.

> Host discovery and port scanning across segmentation boundaries
> Verification that isolated LANs cannot access CDE systems
> Firewall rule review to confirm only authorised access is permitted
> Identification of any unintended access paths into the CDE

Wireless Network Testing

Wireless networks represent a potential route into your CDE that is frequently overlooked. Our on-site wireless testing assesses the security of your wireless environment and identifies any paths that could be exploited to reach cardholder data.

> Rogue access point discovery and assessment
> Router configuration and encryption standard review
> Wi-Fi Protected Setup (WPS) weakness identification
> Evil Twin attack susceptibility and wireless segmentation assessment

PCI DSS Test Approach

How We Approach PCI DSS Testing

Black Box

We begin with no prior knowledge beyond what's publicly available, simulating an external attacker approaching your CDE from the internet. Useful for validating your perimeter exposure and understanding what an opportunistic attacker could achieve.

White Box

We are provided with network diagrams, system documentation, and credentials before testing begins. This approach allows for the deepest possible coverage of your CDE and is particularly effective for identifying vulnerabilities in application logic and internal network configuration.

Grey Box (Recommended)

We begin with partial knowledge, typically network scope documentation and a set of user credentials, allowing us to assess your environment from both an authenticated and unauthenticated perspective. Grey box testing consistently delivers the most comprehensive results for the time invested and is the approach most commonly recommended by QSAs.

Need a PCI QSA?

Penetration testing satisfies the technical requirements of PCI DSS, but if your organisation also needs a Qualified Security Assessor for gap analysis, Attestation on Compliance (AOC), or a full Report on Compliance (ROC), our sister company Xcina Consulting is an accredited PCI QSA firm who can help.

Test Process

Our PCI DSS Testing Process

Every PCI DSS penetration test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with your PCI DSS requirements. Below we outline the key stages our testing goes through:

Understand Your Requirements

We begin every PCI DSS engagement by reviewing your CDE boundary, in-scope systems, and any relevant documentation from previous assessments. We work directly with your QSA to confirm testing scope before we begin, ensuring our assessment covers exactly what your compliance process requires.

Manual, Expert-Led Testing

Testing is carried out by directly employed, CREST-certified consultants. We use tooling to support enumeration and discovery, but every finding is validated through manual exploitation, as required by PCI DSS. This means confirmed attack paths, no false positives, and a report your QSA can rely on.

Reporting Aligned To Your Compliance Process

Our PCI DSS reports are produced in a format designed to feed directly into your QSA's compliance process. Technical findings include full exploitation detail and clear remediation guidance. Executive summaries provide the management overview required for your ROC or SAQ.

Post-Test Remediation Support

We remain available after delivery to support remediation, answer questions from your QSA, and provide fix checks to confirm vulnerabilities have been resolved. Additional documentation for your ROC or SAQ is available on request..

Contact Us

Discuss Your PCI DSS Testing Requirements

Whether you’re approaching your annual assessment or need testing following a significant change to your CDE, fill in the form below and a member of our team will be in touch.