PCI DSS Compliance Testing

Self-Assessment Questionnaires (SAQs) allow eligible merchants (typically Level 3-4 merchants processing under 1 million Visa transactions annually) to self-certify PCI compliance without external audit, but create significant risks that external testing mitigates. SAQ Eligibility Misclassification: Many merchants incorrectly claim SAQ eligibility when QSA (Qualified Security Assessor) audit is required. Common misclassifications include underestimating transaction volume (failing to aggregate across multiple merchant IDs, subsidiaries, or brands), claiming SAQ-A (e-commerce fully outsourced to third-party) while storing cardholder data for recurring billing, using SAQ-B (imprint machines) for modern payment terminals actually in scope, and claiming SAQ-C (payment application on merchant network) while CDE lacks proper segmentation requiring SAQ-D. Misclassification discovered during acquiring bank audit results in immediate non-compliance status, £5K-£50K monthly penalties backdated to misclassification date, and mandatory QSA assessment (£15K-£50K cost). External testing validates SAQ eligibility preventing costly reclassification. Unvalidated Compliance Claims Creating Audit Risk: SAQs rely on merchant self-assessment of technical controls (segmentation, encryption, access controls) without external validation. Acquiring banks increasingly mandate spot-check QSA audits or penetration testing for Level 2-3 merchants to validate SAQ claims, particularly after industry breaches. Failed spot-check audits reveal gaps in self-assessed controls (weak segmentation, unpatched systems, excessive privileges) and audit failures trigger immediate non-compliance status with £10K-£50K monthly penalties until remediation completed plus mandatory full QSA audit. Requirement 11.3 Penetration Testing Ambiguity: PCI DSS Requirement 11.3 mandates annual penetration testing, but SAQ guidance creates confusion about applicability. SAQ-A/A-EP (fully outsourced processing): penetration testing not required for merchant infrastructure but merchant must validate service provider testing compliance. SAQ-B/B-IP/C-VT (standalone terminals, virtual terminals): penetration testing required if CDE segmented from corporate network. SAQ-C/D (payment applications, full CDE): penetration testing mandatory for segmentation validation. Many SAQ-C/D merchants skip penetration testing assuming SAQ attestation suffices, creating compliance gap discovered during audit. Penalty Avoidance ROI: External testing cost is £5K-£15K for a Level 3-4 merchant (comprehensive penetration testing, ASV scanning, segmentation validation, gap analysis). Risk avoided: £5K-£10K monthly non-compliance penalties if acquiring bank audit fails SAQ validation (£60K-£120K annual), £50K-£500K card brand fines if breach occurs in an SAQ-compliant environment due to ineffective controls, and business continuity risk from processing suspension.

PCI DSS compliance testing is the independent technical assessment of security controls protecting cardholder data environments (CDE), required by the Payment Card Industry Data Security Standard for any organisation that stores, processes, or transmits payment card data. Required testing includes: annual penetration testing of CDE segmentation under Requirement 11.3/11.4, quarterly external vulnerability scanning by an Approved Scanning Vendor (ASV) under Requirement 11.2, and validation of access controls, encryption, and network segmentation controls. UK merchants failing compliance testing face acquiring bank non-compliance fees of £5,000-£100,000 per month, card brand penalties of up to £500,000 following a breach, and potential card processing suspension. Precursor Security provides CREST-accredited PCI DSS compliance testing for Level 1-4 merchants across the UK.

Any organisation storing, processing, or transmitting payment card data must comply with PCI DSS: merchants (e-commerce sites, retail stores, restaurants), payment processors and gateways, payment service providers, and hosting providers with CDE access. Compliance level (1-4) depends on annual transaction volume. All levels require vulnerability scanning; Level 1 merchants require annual penetration testing. Fully outsourcing card processing to a third-party payment service provider (PSP) reduces but does not eliminate your PCI DSS obligations. SAQ-A applies only if you use a fully outsourced, PCI DSS-compliant payment page and store no cardholder data. If your checkout redirects to a third-party page but your server executes any part of the payment flow, you fall under SAQ-A-EP or higher, requiring penetration testing. We confirm your actual scope before testing begins.

Requirement 11.3 mandates annual penetration testing of CDE and segmentation controls. Testing includes: network layer testing (firewall rule validation, VLAN segmentation), application layer testing (web app and payment application vulnerabilities), attempting to access cardholder data from untrusted networks, and validating that segmentation prevents lateral movement into CDE. Testing must follow the PCI DSS-defined penetration testing methodology, covering both external attacker and internal threat perspectives. PCI DSS v4.0.1 also introduced Requirement 11.4 enhancements including Requirement 11.4.7 for service providers, requiring penetration testing to include multi-tenant separation validation. A test carried out before your current QSA assessment period does not satisfy the requirement for the new period.

ASV (Approved Scanning Vendor) scanning is quarterly automated vulnerability scanning of external-facing CDE systems to identify known CVEs and misconfigurations (Requirement 11.2). Penetration testing is annual manual testing attempting to exploit vulnerabilities and bypass segmentation (Requirement 11.3). ASV scanning is continuous monitoring; penetration testing validates real-world exploitability and segmentation effectiveness. Most Approved Scanning Vendors provide scan results without remediation support, leaving your team to interpret CVSS scores and prioritise fixes without PCI DSS context. Our ASV service includes guided remediation: we triage flagged vulnerabilities by PCI DSS impact, identify false positives eligible for dispute with supporting documentation, and provide fix-first guidance to achieve a clean scan within your 30-90 day remediation window.

We test segmentation by attempting to access CDE from out-of-scope networks: testing firewall rules for bypasses, attempting VLAN hopping attacks, identifying misconfigured routing allowing unauthorised access, testing wireless network isolation, and validating that application-layer controls prevent CDE access. Failed segmentation means the entire network is in-scope for PCI DSS, significantly expanding compliance burden. We also perform internal network segmentation testing from an assumed-breach position to validate that lateral movement into the CDE is blocked. Our segmentation testing reports are formatted to satisfy QSA evidence requirements under Requirement 11.3.

Yes. PCI DSS v4.0.1 is now the current standard, with all organisations required to be fully compliant. We provide comprehensive PCI DSS v4.0.1 compliance support: gap analysis against current requirements, technical testing validating new requirements (customized approach implementations, enhanced MFA), penetration testing satisfying Requirement 11.3/11.4, ASV vulnerability scanning (Requirement 11.2), and compliance roadmaps for maintaining ongoing PCI DSS v4.0.1 compliance. Our reports reference v4.0.1 requirements by number throughout, ensuring your QSA has the evidence documentation they need.

You receive: comprehensive PCI DSS technical assessment report with findings mapped to specific requirements, penetration testing report (Requirement 11.3 evidence), ASV scan results (Requirement 11.2 evidence), compliance gap analysis against PCI DSS v4.0.1, prioritised remediation roadmap with timelines, and documentation supporting QSA assessment. We provide evidence packages suitable for submission to acquiring banks and card brands. Our reports are structured to meet QSA evidence requirements and have been accepted by UK acquiring bank compliance teams.

PCI DSS non-compliance fees are levied by acquiring banks (the bank that processes your card payments) and card brands (Visa, Mastercard) rather than by a single central authority, which is why the amounts vary and are often poorly understood. Acquiring bank non-compliance fees: Monthly fees typically ranging from £5,000 (smaller Level 3-4 merchants) to £100,000 per month (Level 1 merchants or those with elevated breach risk). These fees begin when your acquiring bank marks you as non-compliant following a failed ASV scan, overdue penetration test, or declined RoC submission, and continue monthly until compliance is demonstrated. Some acquiring banks apply a graduated structure: lower fees initially, escalating if compliance is not restored within 90 days. Card brand non-compliance charges: Visa and Mastercard operate separate compliance programs. Following a confirmed data breach in a non-compliant environment, card brand penalties range from £50,000 to £500,000 depending on the volume of compromised records and whether the merchant had active compliance at the time of breach. These are separate from acquiring bank fees and can apply simultaneously. Processing suspension: Sustained non-compliance (typically 6-12 months of unresolved non-compliance status) can result in your acquiring bank suspending or terminating your card processing agreement. For e-commerce businesses, this is an immediate revenue stop. PCI DSS compliance testing investment of £5,000-£25,000 annually eliminates monthly non-compliance fee exposure and the more severe breach penalty risk. Most organisations recover testing cost within the first month of avoided fees.

PCI DSS compliance testing cost in the UK depends primarily on your merchant level and the scope of services required. Level 3-4 merchants (SAQ-eligible, lower transaction volumes): £5,000-£12,000 for a comprehensive annual assessment including penetration testing, ASV scanning, segmentation validation, and gap analysis documentation. Level 2 merchants (SAQ or QSA-validated): £10,000-£20,000 depending on CDE complexity, number of external IP ranges, and whether a formal gap analysis report is required for acquiring bank submission. Level 1 merchants (mandatory RoC by QSA): Penetration testing and ASV scanning as standalone technical components are £15,000-£25,000 annually. The QSA engagement itself (not our service) adds £20,000-£60,000 depending on the QSA firm. We provide the technical testing evidence that supports the QSA's assessment. These figures cover external and internal penetration testing of the CDE, quarterly ASV scanning (four scan cycles), network segmentation validation, and a compliance evidence package formatted for QSA submission. Our scoping call establishes your exact requirement before any commercial commitment. Compare testing cost to the alternative: a single month of acquiring bank non-compliance fees (£5,000-£100,000) typically exceeds an entire year of compliance testing investment.

PCI DSS merchant levels are determined by annual payment card transaction volume and govern the validation method and testing requirements for compliance. Level 1 (over 6 million Visa or Mastercard transactions annually, or any merchant that has suffered a breach): Mandatory annual Report on Compliance (RoC) conducted by a Qualified Security Assessor (QSA). Requires annual penetration testing (Requirement 11.3/11.4), quarterly ASV scanning (Requirement 11.2), and quarterly internal vulnerability scans. Compliance validated externally, self-assessment is not permitted. Level 2 (1-6 million transactions annually): Annual Self-Assessment Questionnaire (SAQ) or QSA-conducted RoC (at acquiring bank discretion). Penetration testing typically required for SAQ-D merchants or those with segmented CDE. Quarterly ASV scanning required. Level 3 (20,000-1 million e-commerce transactions annually): Annual SAQ and quarterly ASV scanning. Penetration testing required if CDE is segmented from corporate network (common for SAQ-C and SAQ-D merchants). Level 4 (fewer than 20,000 e-commerce transactions, or up to 1 million other transactions annually): Annual SAQ and quarterly ASV scanning. Testing requirements vary by SAQ type. Many Level 4 merchants underestimate their obligations, particularly those using payment applications (SAQ-C) with network segmentation claims. Transaction volumes are aggregated across all merchant IDs, subsidiaries, and brands under a single organisation. Acquiring banks increasingly audit transaction counting methodology, and reclassification from Level 2 to Level 1 requires immediate transition to RoC-based compliance. We help organisations confirm their correct merchant level as part of the initial scoping process.

PCI DSS Requirement 11.4 mandates penetration testing at least annually and after any significant infrastructure or application change. Annual requirement: At minimum, a full penetration test of the CDE and its segmentation controls must be completed within each 12-month assessment period. The test must cover both external (internet-facing) and internal (within the network perimeter) perspectives. After significant changes: If you deploy new payment systems, reconfigure network segmentation, migrate to a new hosting provider, add new payment channels, or make significant changes to your CDE architecture, penetration testing is required before returning to production, regardless of where you are in the annual cycle. PCI DSS v4.0.1 change: Requirement 11.4.7 for service providers specifically requires penetration testing to include multi-tenant separation validation. If you are a payment service provider or hosting provider, this adds scope to your testing requirement. Testing performed outside your current QSA assessment period does not carry forward. If your last test was completed 14 months ago, even if it was thorough and you have not changed your infrastructure, you are overdue and technically out of compliance with Requirement 11.4. We regularly see this as an undetected compliance gap during scoping calls.

A PCI DSS audit is the formal review of an organisation's compliance with the Payment Card Industry Data Security Standard, conducted to validate that security controls protecting cardholder data meet the required standard. The audit process differs by merchant level. For Level 1 merchants, a PCI DSS audit is a formal Report on Compliance (RoC) conducted by a Qualified Security Assessor (QSA), an independent firm accredited by the PCI SSC. The QSA reviews documentation, interviews staff, and validates technical controls against all 12 PCI DSS requirements. The RoC is submitted to the acquiring bank annually. For Level 2-4 merchants, the audit is typically a Self-Assessment Questionnaire (SAQ) completed internally and submitted to the acquiring bank. However, acquiring banks may conduct spot-check audits, particularly following industry breach events, that require external technical validation of SAQ claims. Technical testing (penetration testing, ASV scanning) is a component of the audit rather than the audit itself. The penetration testing report and ASV scan results are evidence documents that a QSA reviews or that a merchant submits alongside their SAQ to demonstrate compliance with Requirements 11.2 and 11.4. Precursor Security provides the technical testing evidence required for PCI DSS audits: penetration testing reports, ASV scan results, segmentation validation documentation, and gap analysis against PCI DSS v4.0.1. We do not act as a QSA but work alongside QSA firms and have produced evidence accepted by major UK acquiring banks.