Skip to content

What is PCI Pen Testing?

Payment Card Industry (PCI) Penetration Testing or more commonly shortened to PCI Pen Testing is running penetration tests for the purposes of the PCI Data Security Standards (DSS) compliance.


Under requirements 11 and 6.6 of the PCI DSS and depending on self-assessment questionnaire (SAQ) or Report on Compliance (ROC) requirement, you will be required to carry out Web Application Penetration Testing, External Network Penetration Testing and Internal Network Penetration Testing.

Is pen-testing required for PCI?

Penetration Testing is a key security control and should be considered by all organisation irrespective of requirements for PCI or otherwise. In terms of the PCI DSS specifically, it’s usually only required if mandated by your acquiring bank (typically due to an increase in PCI DSS risk) or if you store card data and/or process via e-commerce.

What does a PCI scan look for?

The term ‘PCI Scan’ typically means a PCI Approved Scanning Vendor (ASV) scan which is mandated under requirement 11.2.2 of the PCI DSS. This involves a PCI ASV running quarterly scans against your external ‘in scope’ assets for the PCI DSS.

How do I pass a PCI compliance scan?

To pass a PCI ASV scan or PCI Compliance Scan you need to have no ‘non-compliant’ vulnerabilities on the quarterly PCI ASV scan. Your PCI ASV vendor will typically provide a report highlighting and areas of non-compliance and provide guidance for remediation as needed. Typically non-compliant vulnerabilities are anything that is not Denial of Service (DoS) related and has a CVSS score of 4.0 or greater.

If you like this blog post, find more content in our Glossary.