The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data. One of the key (and almost always applicable) requirements of PCI DSS is that organizations must perform internal and external penetration testing for the entire scoped environment—this not only applies to systems that store, process, or transmit cardholder data, but also those that can impact the security of cardholder data.
Although that may seem fairly straightforward, having been performing both PCI DSS assessments and penetration tests for years, we’re still often asked the same questions by organizations of all shapes and sizes. So, to make this aspect of PCI DSS compliance clearer, we’ve put together a collection of frequently asked questions (and answers).
They are categorized around the following two topics:
- PCI DSS Penetration Testing Basics
- Network Segmentation Questions
- Who Should Perform Your PCI DSS-Required Pen Test and Scans?
PCI DSS Penetration Testing Basics
Does Every Organization Undergoing PCI DSS Need to Have a Penetration Test Performed?
|
SAQ Type |
Penetration Test Required? |
|---|---|
|
SAQ A |
No |
|
SAQ B |
No |
|
SAQ B-IP |
No |
|
SAQ C-VT |
No |
|
P2PE |
No |
|
SAQ C |
Yes |
|
SAQ D |
Yes |
Did PCI DSS v4.0 Change Anything Regarding the Penetration Testing Requirements?
Yes, it did—in PCI DSS v4.0 Req. 11.4.1 and 11.4.4, the updated standard now includes "security weaknesses" as requiring remediation along with exploitable vulnerabilities.
The term “security weaknesses” encompasses all types of vulnerabilities, regardless of their exploitability or severity, and for these non-exploitable findings, the new PCI Requirement 6.3.1 mandates that the organization being assessed review them and evaluate the risk, including potential reclassification (i.e., changing to a false positive).
PCI DSS v4.0 penetration testing requirements become mandatory on March 31, 2025; however, these requirements are also applied during any PCI DSS v4.0 assessment conducted prior.
Do You Have to Remediate All Findings Identified (or Just the High-Risk Ones)?
As we just mentioned, though PCI DSS v3.2.1 only required remediation for exploitable vulnerabilities—or vulnerabilities indicating a PCI DSS requirement is not being met—PCI DSS v4.0 includes both exploitable findings and security weaknesses (i.e., having encryption issues, security misconfigurations, etc.) as issues requiring remediation.
Even so, the timeframe to address findings is not static. A complete and clean—meaning, no open findings—penetration test report is required for a compliant PCI DSS validation. Speak with your penetration tester and QSA to address any timeframe concerns.
How Often Does a Penetration Test Need to Be Performed to Maintain PCI DSS Compliance?
You must perform a penetration test at least annually, no matter if you’re a merchant or service provider and if there have been any significant changes to your systems or environment.
What’s In-Scope for a PCI DSS Penetration Test?
The following should be in scope for your PCI DSS penetration test:
|
All external attack surfaces |
Examples include:
|
|
All internal networks |
Including:
|
|
Network segmentation* |
The controls should be tested:
|
* Network segmentation testing only applies when segmentation controls are in use.
Network Segmentation Questions
Is Network Segmentation Testing Always Required?
Network segmentation is not a requirement but can be used by either merchants or service providers to reduce scope.
If segmentation is not employed, then the entire routable network is in scope (as noted above, and this applies to both merchants and service providers).
What Would Be Considered Failing a Network Segmentation Test?
You will fail a network segmentation test upon the discovery of the following:
- Undefined, unauthenticated, or unprotected services (i.e., weak protocols, weak cryptographic hashes, or not using encryption) having access to the CDE.
- Networks considered “untrusted” having access to the CDE.
It is important to note that access to the CDE from non-CDE networks is not an automatic fail. Access into the CDE must be defined and assessed as a part of the PCI DSS assessment as a non-CDE in-scope function.
Who Should Perform Your PCI DSS-Required Pen Test and Scans?
Can Your In-House Security Team Perform the Penetration Test?
Yes, you can perform your own penetration test and segmentation tests as long as the personnel performing the test is qualified to do so, meaning:
- They are trained pen testers and hold industry-standard certifications such as those offered by OffSec, Zero Point Security, and PortSwigger.
- They have organizational independence from the systems being tested (as is stated in the DSS, “...individuals performing assessments are organizationally separate from the management of the environment being assessed of your organization.”)
If that’s not the case, a qualified external third party like Schellman must perform the test.
Why Should You Use Schellman for Your PCI DSS Penetration Test?
Between our penetration testers and our PCI QSAs, we are uniquely qualified to assist you with the entirety of your PCI DSS compliance. Though our personnel are organizationally separate to prevent influence, both understand the security controls and threat vectors. If you choose to partner with us, you can expect:
- Extensive Experience: Our QSAs have experience with all the different PCI standards, while our penetration testers are also highly qualified.
- A More Streamlined Experience: When you choose us to perform both, our staff can coordinate to confirm the scope of the DSS assessment aligns with penetration testing, removing many last-minute headaches.
- Constant Communication: There will be no waiting to figure out how many findings will be on the final report—our staff will provide updates via AuditSource as vulnerabilities are identified.
- An Included Retest: We include a single retest of all originally identified findings within 30 days, along with a separate retest report deliverable, and customer-facing attestation letter.
How Does Schellman Perform Network Segmentation Testing?
When we test your network segmentation, we’ll first provide a virtual machine (VM) or physical device for you to connect to an “untrusted network”—preferably a corporate network. From there, we will review the CDE and non-CDE in-scope networks and attempt to verify network segmentation controls (through host discovery and TCP/UDP port scanning).
This test typically takes a week, including report writing time.
About the Experts:
Adam "Sully" Perella is a Technical Director who leads the PIN and P2PE service lines for Schellman. After first getting into the payments space, Sully ramped up to validate payment applications, point-to-point encryption, perform penetration testing, and forensic services. He maintains multiple certifications in information security and payments. Active within the payments community, he helps draft new payment standards and speaks globally on payment security. His current focus includes the Software Security Framework, 3-Domain Secure services (3DS), and external vulnerability scans as an Approved Scanning Vendor (ASV).
Josh Tomkiel is a Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment, including the importance of a positive client experience which Josh takes great care to deliver.