Compliance Testing
PCI DSS Penetration Testing
Meet Requirement 11.3.
Sherlock Forensics delivers PCI DSS 4.0 penetration testing to satisfy Requirement 11.3. Testing covers both internal and external network segments, application-layer vulnerabilities and segmentation validation for the cardholder data environment. Reports include CVSS-scored findings, remediation guidance and attestation documentation. Standard PCI penetration tests start at $5,000 CAD and Comprehensive engagements with internal CDE testing via ShadowTap start at $12,000 CAD.
PCI DSS 4.0
What Requirement 11.3 Demands
Internal and External Testing
PCI DSS 4.0 Requirement 11.3 requires penetration testing from both inside and outside the network at least annually and after any significant change. Internal testing targets the cardholder data environment directly, while external testing simulates an internet-based attacker targeting payment-facing systems.
Application-Layer Testing
Requirement 11.3.1 explicitly requires application-layer penetration testing covering the OWASP Top 10 at minimum. This includes testing web applications that process, store or transmit cardholder data, as well as any application that could provide a path into the CDE.
Segmentation Validation
If you use network segmentation to reduce PCI scope, Requirement 11.3.4 requires testing to verify those controls are effective. Service providers must perform segmentation testing every six months. We place our ShadowTap device on non-CDE segments and verify that CDE systems are unreachable.
Key Distinction
ASV Scan vs Penetration Test
| ASV Scan (Req 11.2) | Penetration Test (Req 11.3) | |
|---|---|---|
| Type | Automated vulnerability scan | Manual exploitation and analysis |
| Frequency | Quarterly | Annually + after significant changes |
| Scope | External-facing IPs only | Internal and external, network and application |
| Performed By | PCI SSC-approved ASV | Qualified internal or external tester |
| Output | Pass/fail with vulnerability list | Detailed findings, exploitation evidence, remediation roadmap |
Both are required for PCI compliance. An ASV scan identifies known vulnerabilities automatically. A penetration test proves what an attacker can actually do with those vulnerabilities, tests for business logic flaws and validates segmentation controls.
SAQ Requirements
Which SAQ Types Require a Pentest?
| SAQ Type | Description | Pentest Required? |
|---|---|---|
| SAQ A | Card-not-present, all processing outsourced | No |
| SAQ A-EP | E-commerce with website affecting transaction security | Yes |
| SAQ C | Payment terminals connected to the internet | No |
| SAQ D | All other merchants and service providers | Yes |
| ROC | Report on Compliance (Level 1 merchants/service providers) | Yes |
Even if your SAQ type does not require a penetration test, Sherlock Forensics recommends annual testing for any organization that processes payment card data. Automated scans miss business logic flaws, chained attack paths and segmentation weaknesses that a manual penetration test will find.
Internal CDE Testing
ShadowTap: Remote Internal CDE Testing
How It Works
We ship a pre-configured ShadowTap device to your location. Plug it into a network port inside your cardholder data environment. It connects back to our lab over an encrypted tunnel. Our team tests your internal CDE as if sitting at a desk in your office. No VPN configuration, no firewall changes, no IT overhead.
What We Test
Internal network reconnaissance, CDE segmentation validation, lateral movement testing between CDE and non-CDE segments, Active Directory assessment, privilege escalation paths, internal service vulnerabilities and credential exposure. All findings mapped to PCI DSS requirements.
Segmentation Validation
We place a second ShadowTap device on a non-CDE segment and verify that cardholder data systems are unreachable. This satisfies Requirement 11.3.4 for segmentation testing and provides concrete evidence for your QSA or ISA.
Frequently Asked Questions
PCI DSS Penetration Testing FAQs
- What is PCI DSS Requirement 11.3?
- Requirement 11.3 mandates internal and external penetration testing at least annually and after any significant change to the cardholder data environment. Under PCI DSS 4.0, this includes application-layer testing, network-layer testing and a documented methodology based on industry-accepted approaches.
- What is the difference between an ASV scan and a penetration test?
- An ASV scan is an automated quarterly external vulnerability scan required by Requirement 11.2. It identifies known vulnerabilities but does not attempt exploitation. A penetration test under Requirement 11.3 is a manual assessment that actively exploits vulnerabilities to determine real-world impact. Both are required for PCI compliance.
- Which SAQ types require a penetration test?
- SAQ D and Report on Compliance (ROC) require annual penetration testing. SAQ A-EP requires it for e-commerce merchants with websites that affect payment transaction security. SAQ A and SAQ C do not require it, though testing is recommended for any organization handling card data.
- How often does PCI DSS require penetration testing?
- At least annually and after any significant infrastructure or application change. Significant changes include new system components, network topology changes, firewall rule modifications, product upgrades and web application changes. Service providers must perform segmentation testing every six months.
- Does PCI DSS 4.0 change penetration testing requirements?
- PCI DSS 4.0 introduces more explicit requirements for documented methodology, internal testing scope and segmentation testing frequency. Requirement 11.3.1 now requires an industry-accepted penetration testing methodology. Requirement 11.3.2 requires segmentation testing every six months for service providers.
- What is segmentation testing and do I need it?
- Segmentation testing validates that network controls isolating your CDE from other networks are effective. If you use segmentation to reduce PCI scope, you must test it annually (every six months for service providers). We use ShadowTap devices placed on non-CDE segments to verify CDE systems are unreachable.
- Can I use the same vendor for ASV scans and penetration testing?
- Yes. PCI DSS allows the same vendor to perform both. The penetration test must be performed by a qualified tester, and the ASV scan must be performed by a PCI SSC-approved ASV. Sherlock Forensics provides penetration testing services and can coordinate with your ASV provider to ensure full coverage.
Get Started
Ready for your PCI penetration test?
Standard PCI pentest from $5,000 CAD. Comprehensive with internal CDE testing via ShadowTap from $12,000 CAD. Reports structured for your QSA or ISA.
Order OnlineScope Your PCI Penetration Test
Tell us about your cardholder data environment, SAQ type and compliance timeline. We will provide a fixed-price quote within one business day.
Call 604.229.1994- Phone
- 604.229.1994
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada
- Typical Timeline
- 5-15 business days from kickoff to final report