PCI DSS Penetration Testing & Compliance
PCI DSS v4.0.1 requires annual penetration testing (Req 11.4) and quarterly ASV vulnerability scans (Req 11.3) for every cardholder data environment. We deliver both -- with audit-ready reports your QSA can trust.
What is PCI DSS?
PCI DSS is the global security standard for any organization that touches payment card data. Created by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB), it sets the baseline for how cardholder data must be stored, processed, and transmitted.
- Managed by the PCI Security Standards Council (PCI SSC), founded by the five major card brands
- Current version is PCI DSS v4.0.1, published June 2024. Core v4.0 requirements have been mandatory since March 31, 2024 (when v3.2.1 was retired), and the remaining future-dated requirements (e.g., advanced MFA, anti-phishing controls, WAF deployment) became mandatory on March 31, 2025. All v4.0.1 requirements are now fully in effect.
- Defines 12 requirements organized under 6 security goals
- Applies globally to any entity handling cardholder data, regardless of size or transaction volume
- Compliance validated through Self-Assessment Questionnaires (SAQs) or on-site audits by Qualified Security Assessors (QSAs)
Reference: PCI SSC - https://www.pcisecuritystandards.org/standards/pci-dss/
Who Must Comply with PCI DSS?
Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS, classified into four merchant levels by transaction volume.
Merchants
Retail stores, restaurants, hotels, and any business that accepts card payments in person or online
E-Commerce Businesses
Online stores and platforms processing card-not-present transactions through payment gateways
Financial Institutions
Banks, acquiring banks, and card issuers that process, store, or transmit cardholder data
Payment Processors
Third-party processors, payment gateways, and payment service providers handling card transactions
Service Providers
Hosting providers, managed security services, and any entity with access to cardholder data environments
Any Card Data Handler
Any organization that stores, processes, or transmits primary account numbers (PANs) or sensitive authentication data
Key Security Testing Requirements
PCI DSS v4.0.1 spells out exactly what security testing is expected -- from annual pentests to quarterly scans to secure coding practices. These are the requirements you need to know.
Penetration Testing
External and internal penetration testing must be performed at least once every 12 months and after any significant change. Testing must cover the entire CDE perimeter and critical systems, including validation of network segmentation controls. Must follow industry-recognized methodologies such as NIST SP 800-115 or OWASP.
Vulnerability Scanning
External vulnerability scans must be performed at least quarterly by a PCI SSC Approved Scanning Vendor (ASV). Internal scans must also be performed quarterly. PCI DSS v4.0 requires authenticated internal scanning for deeper detection of misconfigurations and vulnerabilities.
Secure Software Development
Custom software must be developed securely following industry standards. Code must be reviewed before release to production for OWASP Top 10 vulnerabilities. Developers must receive secure coding training at least once every 12 months.
Malware Protection
Protect all systems and networks from malware. Anti-malware solutions must be deployed, maintained, and actively monitored on all systems commonly affected by malware.
Network Security Controls
Install and maintain network security controls including firewalls and network segmentation to protect the cardholder data environment from untrusted networks.
Access Control & Authentication
Identify users and authenticate access to system components. Implement strong access controls including multi-factor authentication (MFA) for all access into the cardholder data environment.
The Cost of Non-Compliance
Card brands and acquiring banks take PCI DSS seriously. Fall out of compliance and the financial and operational consequences hit fast.
Payment card brands can impose fines of $5,000 to $100,000 per month on acquiring banks, which pass these fines to non-compliant merchants. Fines escalate the longer non-compliance persists.
Merchants may lose the ability to process card payments entirely. For businesses dependent on card transactions, this effectively means inability to operate. Reinstatement requires full compliance validation.
Non-compliant organizations that suffer a data breach face forensic investigation costs, mandatory card replacement expenses, fraud loss liability, and potential lawsuits from affected cardholders and banks.
How Pentesting Maps to PCI DSS
Every type of penetration test addresses specific PCI DSS controls. Here is how each one protects your cardholder data environment.
PCI DSS Compliance Checklist
Key security testing and assessment actions to demonstrate PCI DSS compliance.
Official References
Consult the original documentation for full PCI DSS requirements.
Related Security Services
Comprehensive testing to cover all aspects of PCI DSS compliance for your cardholder data environment.
PCI DSS Penetration Testing FAQ
Common questions about penetration testing and security requirements for PCI DSS compliance.
Get PCI DSS Compliant with Confidence
Penetration testing and vulnerability scanning aligned with PCI DSS v4.0.1. Audit-ready reports that give your QSA exactly what they need.
Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.