Select regional store:
PCI Compliance Penetration Testing

PCI Compliance Penetration Testing

SKU: 4573
Format: Compliance Penetration Testing
Published: 01 Jan 0001

Requirement 11 of the PCI DSS describes the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.

Regular testing is fundamental to ensuring that an organisation is prepared for the full range of attacks that companies have to face.

To purchase one of our penetration testing services, click the links below or call our team today on 00 800 48 484 484.


Your challenge

PCI compliance, especially for Reports on Compliance (ROCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans, and frequent penetration tests.

PCI DSS Requirement 11.3 addresses penetration testing, which is different from the external and internal vulnerability assessments required by PCI DSS Requirement 11.2. A vulnerability assessment simply identifies and reports on vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorised access or other malicious activity is possible. Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from both outside the network trying to come in (external testing) and from inside the network.

The goals of penetration testing are:

  • To determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
  • To confirm that the controls required by the PCI DSS are in place and effective.

Our service offering

Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.

Merchants/ Service providers

Quarterly* external vulnerability scan (ASV)

Quarterly* internal vulnerability scan

Annual** penetration test
(Level 2)

Quarterly wireless network analysis

Annual Web application vulnerability scan1

  Req. 11.2.2 Req. 11.2.1 Req. 11.3 Req. 11.1 Req. 6.6


Yes Yes Yes ++ Yes Yes

SAQ D for Merchants

Yes Yes Yes      Yes Yes

SAQ D for Service Providers

Yes Yes Yes ++ Yes Yes


Yes Yes Yes #  Yes Yes


    Yes #     






Yes   Yes #     


Yes Yes Yes +    Yes



Purchase the required test


* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
++ For service providers any network segmentation must be tested every six months
1 Or after any change to the application. Applicable if developing own applications or using a 3rd party non-PCI-certified web application

Further information

Remote service offering for organisations located outside the UK

Please note that IT Governance routinely provides this service remotely for organisations located outside the United Kingdom. We can also offer an on-site presence, but consultant expenses related to travelling , etc. will need to be absorbed as an additional cost.


Why choose us?

  • You receive a tailored assessment that applies to your business and relevant threats, not a generic assessment of theoretical risks.
  • You work with CREST-qualified consultants experienced in infrastructure and application penetration testing.
  • We combine a number of advanced manual tests with automated vulnerability scans to ensure all critical vulnerabilities are identified.
  • You receive a clear report that prioritises the risks relevant to your organisation so you can easily remediate any vulnerabilities.

Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us

Customer Reviews

(0# of Ratings:)
This website uses cookies. View our cookie policy