PCI DSS penetration testing

PCI DSS requires that all entities who processes card data should perform regular penetration testing of CDE (Cardholders Data Environment). Requirements for such test are described in PCI DSS Information Supplement – Penetration Testing Guidance.


Among others, it requires that:

  • Penetration testing should be mostly manual process.
  • Test should be performed in accordance to standards (OSSTMM, NIST SP 800-115, OWASP Testing Guide).
  • The scope must include the entire CDE perimeter and any critical systems that may impact the security of the CDE as well as the environment in scope for PCI DSS.
  • Network-layer penetration tests shall include components that support network functions as well as operating systems.
  • Application-layer penetration testing shall include, at a minimum, the vulnerabilities listed in PCI DSS Requirement 6.5.
  • The scope should include review and consideration of threats and vulnerabilities experienced in the last 12 months.


Our penetration testing services are fully in line with these requirements. The service includes the whole scope described in PCI DSS guidance:

  • External penetration testing
  • Internal penetration testing
  • Segmentation checks
  • Application-layer penetration testing
  • Social Engineering (if needed)


We have extensive experience working with clients that process credit card data (banks, merchants, payment processors) and we are in cooperation with QSA auditors.


Let us know what are your needs. We will be happy to answer all your questions.