Under PCI DSS Requirement 11.3 a penetration test of your Cardholder Data Environment and all systems and networks connected to it is required to be conducted.

A penetration test is designed to evaluate your organisations security posture and ultimately to fortify your business, through the identification and exploitation of vulnerabilities, to determine whether unauthorised access or other malicious activity is possible.


PCI DSS Requirement 11.3 addresses penetration testing, which differs from the external and internal vulnerability assessment requirements of PCI DSS Requirement 11.2.

For any organisation which stores and processes Cardholder data a Penetration test is required to ensure the security of your systems is safeguarded from a malicious attacker attempting to gain access to this sensitive information.

Under the PCI DSS Requirement 11.3 the scope of work for a penetration test includes all locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points.

Our Penetration testers will work with you to ensure each of your systems required for assessment are thoroughly tested, and you are provided with a detailed analysis regarding this test.

Our Penetration Testers use a combination of the most effective automated tools and manual exploitation techniques to identify vulnerabilities against each of your assets. An extensive report provides a thorough description of each identified vulnerability and provides business context alongside each issue.

This is supplemented by technical and non-technical descriptions including evidence of exploitation to assist in prompt remediation activities and provide a thorough understanding of each issue.

A PCI DSS 11.3 Penetration Test will allow your organisation to:

  • Understand the risks that exist across your estate and can affect your Cardholder Data Environment.
  • Make ongoing improvements to your security posture via specialist support, advice and consultancy.
  • Adhere to PCI DSS Requirement 11.3 to conduct penetration testing against your CDE and connected systems and networks.
  • Gain access to a dedicated team of specialist CREST Registered penetration testers who use the latest tools and techniques to accurately assess and identify emerging threats.


1. What is the difference between a Manual Penetration Test and a Vulnerability Scan?

A manual penetration test is led by one of our CREST penetration testers and uses an intelligence led approach to assess any of your systems or services, identifying vulnerabilities beyond what a vulnerability scan can identify.

A vulnerability scan can provide a faster and more cost-effective alternative to a manual penetration test. Vulnerability scans can be utilised effectively on a regular basis to assess a large number of systems for the most common and easily exploitable issues which many malicious attackers may try to take advantage of.

2. Why do I need a Vulnerability Scan?

A new set of emerging threats and vulnerabilities are continually changing the threat landscape which organisations need to safeguard themselves against. Vulnerability scanning can provide regular assessments against a wide array of existing and new threats to ensure your business can effectively manage their security posture in between more in depth manual assessments.

3. What can I have tested as part of a Vulnerability Scan?

Internal and External systems and services can be assessed as part of any vulnerability scan, with options for unauthenticated and authenticated assessments, allowing you to gain insight into an array of potential issues which may be present within your system from a range of authentication levels.

4. What will I receive after the Vulnerability Scan has completed?

The deliverable from any Vulnerability Scan is a complete report, detailing each identified vulnerability against your business and relaying the risks that each issue poses to your systems and services.

The report provides a complete description of what each identified issue is and specific remediation advice on how to address the issue.