PCI 11.3 Penetration Testing

What is an PCI DSS 11.3 Penetration Test?

Under PCI DSS Requirement 11.3 a penetration test of your Cardholder Data Environment and all systems and networks connected to it is required to be conducted.

A penetration test is designed to evaluate your organisations security posture and ultimately to fortify your business, through the identification and exploitation of vulnerabilities, to determine whether unauthorised access or other malicious activity is possible.

Why Conduct a PCI 11.3 Penetration TEst?

PCI DSS Requirement 11.3 addresses penetration testing, which differs from the external and internal vulnerability assessment requirements of PCI DSS Requirement 11.2.

For any organisation which stores and processes Cardholder data a Penetration test is required to ensure the security of your systems is safeguarded from a malicious attacker attempting to gain access to this sensitive information.

Our Approach

Under the PCI DSS Requirement 11.3 the scope of work for a penetration test includes all locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points.

Our Penetration testers will work with you to ensure each of your systems required for assessment are thoroughly tested, and you are provided with a detailed analysis regarding this test.

Our Penetration Testers use a combination of the most effective automated tools and manual exploitation techniques to identify vulnerabilities against each of your assets. An extensive report provides a thorough description of each identified vulnerability and provides business context alongside each issue.

This is supplemented by technical and non-technical descriptions including evidence of exploitation to assist in prompt remediation activities and provide a thorough understanding of each issue.

Key Benefits

A PCI DSS 11.3 Penetration Test will allow your organisation to:

  • Understand the risks that exist across your estate and can affect your Cardholder Data Environment.

  • Make ongoing improvements to your security posture via specialist support, advice and consultancy.

  • Adhere to PCI DSS Requirement 11.3 to conduct penetration testing against your CDE and connected systems and networks.

  • Gain access to a dedicated team of specialist CREST Registered penetration testers who use the latest tools and techniques to accurately assess and identify emerging threats.


+ Q: Why do I need a Penetration test for PCI DSS?

Penetration testing is a requirement under PCI DSS Requirement 11.3, and should include attempts to identify and exploit vulnerabilities with an aim of determining if unauthorised access to your Cardholder Data Environment is possible.

+ Q: What is the scope for a PCI DSS 11.3 Penetration Test?

A PCI DSS 11.3 Penetration Test should include the cardholder data environment and all systems and networks connected to it

The assessment should include all locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points should be included.

The exact scope will inevitably vary for each organisation and if you have any queries regarding an assessment, please get in touch.

+ Q: What will I receive after the test has been completed?

The deliverable from any PCI DSS 11.3 Penetration Test is a complete report, detailing and contextualizing each identified vulnerability against your business and relaying the risks that each issue poses to your systems and services.

The report provides a complete description of what each identified issue is, specific remediation advice on how to address the issue, and detailed evidence, wherever necessary to verify the issues impact.

Ready to secure your business?