Skip to main content
    Price CalculatorSign in
    PCI DSS v4.0
    ·By Budget Security

    PCI DSS Penetration Testing Requirements

    Any organization that stores, processes, or transmits cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Requirement 11.3 mandates regular penetration testing of both external and internal environments to protect payment card data from compromise.

    PCI DSS v4.0, which fully replaces v3.2.1, introduces stricter testing controls and broadened scope for authenticated scanning. This guide covers what penetration testing PCI DSS demands, how it differs from automated scanning, and how Budget Security delivers testing that satisfies your QSA or auditor.

    Requirements 11.3 and 11.4 Explained

    PCI DSS Requirement 11 focuses on regular testing of security systems and processes. Two sub-requirements are directly relevant to penetration testing:

    Req 11.3 - Penetration Testing

    External and internal penetration tests must be performed at least annually and after any significant infrastructure change

    Req 11.4 - Intrusion Detection

    Intrusion-detection or intrusion-prevention systems must monitor all traffic at the perimeter and critical points inside the CDE

    Req 11.3.4 - Segmentation Testing

    If network segmentation is used to reduce PCI DSS scope, penetration testing must verify that segmentation controls are operational and effective

    Req 11.3.1/11.3.2 - Scope

    External tests target internet-facing systems. Internal tests target systems within the trusted network and cardholder data environment

    Requirement 11.3 specifies that penetration testing must follow an industry-accepted methodology such as NIST SP 800-115, OWASP Testing Guide, or PTES. The test must cover the entire CDE perimeter and any critical systems that could affect the security of cardholder data.

    Internal vs External Penetration Testing

    PCI DSS draws a clear distinction between external and internal penetration tests. Both are required, and each serves a different purpose in validating your security posture.

    External Penetration Testing (11.3.1)

    • Performed from outside the network perimeter
    • Targets all internet-facing systems in the CDE
    • Tests firewalls, web applications, and exposed services
    • Must include network-layer and application-layer testing
    • Required annually and after significant changes

    Internal Penetration Testing (11.3.2)

    • Performed from inside the trusted network
    • Simulates a compromised insider or breached endpoint
    • Tests lateral movement paths toward the CDE
    • Assesses access controls between network segments
    • Required annually and after significant changes

    It is important to understand that quarterly ASV (Approved Scanning Vendor) scans required under Requirement 11.2 are not a substitute for penetration testing. ASV scans are automated vulnerability scans of external IP addresses. Penetration testing involves manual exploitation, business logic testing, and chained attack scenarios that automated tools cannot replicate.

    Segmentation Testing

    Many organizations reduce their PCI DSS scope by isolating the cardholder data environment from the rest of the corporate network using network segmentation. If you rely on segmentation to limit your compliance scope, Requirement 11.3.4 requires you to verify that segmentation controls actually work.

    Segmentation Testing Requirements

    • Frequency: At least every six months for service providers. Annually for merchants, plus after any change to segmentation controls.
    • Scope: Testing must confirm that out-of-scope systems cannot communicate with systems inside the CDE.
    • Method: Port scanning alone is insufficient. Penetration testers must attempt to bypass segmentation controls through routing manipulation, VLAN hopping, firewall rule exploitation, and other techniques.
    • Documentation: Results must clearly show which controls were tested, whether bypass was possible, and evidence supporting the conclusion.

    Failed segmentation testing means your entire network could be considered in scope for PCI DSS, dramatically increasing the cost and complexity of compliance. Budget Security includes segmentation verification as part of every PCI DSS engagement where segmentation is used.

    How Budget Security Helps You Meet PCI DSS

    Budget Security delivers penetration testing built around PCI DSS requirements. You define your cardholder data environment, select the testing type, and our team handles the rest. Pricing starts at EUR 849 per day.

    1

    Configure your engagement online

    Specify your CDE boundaries, network segments, and testing requirements through our booking platform. Get a fixed-price quote in minutes without back-and-forth emails.

    2

    Testing by qualified pentesters

    Our team holds industry-recognized offensive security certifications and follows PTES, OWASP, and NIST SP 800-115 methodologies to satisfy PCI DSS Requirement 11.3 testing standards.

    3

    QSA-ready deliverables

    Every report maps findings to PCI DSS requirements, includes CVSS-scored vulnerabilities with exploitation evidence, and provides clear remediation guidance. Hand it directly to your QSA or acquiring bank.

    4

    Track remediation and retest

    Monitor open findings through our vulnerability tracking dashboard. Schedule retesting to confirm fixes before your next assessment window.

    Get startedView pricing

    PCI DSS Penetration Testing FAQ

    What is PCI DSS penetration testing?
    PCI DSS penetration testing is a mandatory security assessment required under Requirement 11.3 of the Payment Card Industry Data Security Standard. It involves simulated attacks against your cardholder data environment (CDE) to identify exploitable vulnerabilities before real attackers do.
    How often does PCI DSS require penetration testing?
    PCI DSS requires penetration testing at least once every 12 months and after any significant change to your infrastructure, such as firewall modifications, product upgrades, or new system component installations. Segmentation testing must be performed every six months.
    What is the difference between an ASV scan and a penetration test?
    An Approved Scanning Vendor (ASV) scan is an automated quarterly vulnerability scan of external-facing systems. A penetration test goes further by manually exploiting vulnerabilities, chaining attack paths, and testing business logic flaws that automated scanners cannot detect. PCI DSS requires both.
    Does PCI DSS require both internal and external penetration tests?
    Yes. Requirement 11.3.1 covers external penetration testing from outside the network perimeter, while Requirement 11.3.2 covers internal penetration testing from within the trusted network. Both must be performed annually and after significant changes.
    Do I need a penetration test if I only fill out an SAQ?
    It depends on your SAQ type. SAQ A and SAQ A-EP merchants are generally not required to perform penetration tests. However, SAQ C, SAQ C-VT, SAQ D, and all Service Provider validations require annual penetration testing under PCI DSS.
    How much does a PCI DSS penetration test cost?
    A PCI DSS penetration test with Budget Security starts at EUR 849 per day. Total cost depends on the size of your cardholder data environment, the number of network segments, and whether you need both internal and external testing. Use our pricing page for a detailed estimate.