PCI DSS penetration testing is one of the most onerous obligations in terms of cost and preparation: a test on a medium-complexity CDE can cost between €5,000 and €20,000, must be performed at least once a year and must be conducted by a qualified independent party. For a merchant or SME wanting to control compliance costs, reducing the perimeter subject to pen testing is a strategic priority.
When PCI DSS pen testing is mandatory and how often
Requirement 11.4 of PCI DSS v4.0 requires merchants to perform a penetration test at least once every 12 months and after any significant change to the infrastructure or applications in the CDE perimeter. "Significant change" includes adding new systems, changes to network topology, major updates to payment applications and changes to access controls.
The PCI DSS pen test must cover both the network level (network penetration test) and the application level (application penetration test), including web interfaces and exposed APIs. The tester must simulate attacks from both outside (external pen test) and from inside the network (internal pen test). Results must be documented, identified vulnerabilities must be resolved and remediation must be verified with a retest.
Penetration test vs vulnerability scan: they are not the same thing
A common mistake is confusing the penetration test with the vulnerability scan. The vulnerability scan is an automated process that identifies known vulnerabilities by comparing against CVE databases: it provides a list of potential issues but does not verify if they are actually exploitable. PCI DSS requires quarterly vulnerability scanning by a certified ASV (Approved Scanning Vendor).
The penetration test is instead a manual activity conducted by a security expert who actively attempts to exploit identified vulnerabilities. It verifies not only whether a vulnerability exists, but whether it can be used to access card data or move laterally in the network. The two tools are complementary, not interchangeable, and PCI DSS requires both at different frequencies.
Less CDE, lower pen test costs
The cost of a penetration test is directly proportional to the size and complexity of the perimeter to be tested. Every system in the CDE must be included in the pen test scope: more systems mean more work hours, higher cost. A CDE comprising 10 servers, 3 databases, 2 web applications and a segmented network will cost many times more to test than a minimal CDE.
Tokenization reduces the CDE and, consequently, the pen test perimeter. If your servers never handle PANs, they do not need to be included in the PCI DSS pen test: the test focuses only on components managing tokens and communication interfaces with the PCI Proxy EU vault, which is already Level 1 certified. Annual savings on pen testing alone can exceed the cost of the tokenization solution.
Frequently asked questions
Can I use the same pen test report for PCI and other frameworks?
Partially. The PCI DSS pen test has specific scope, methodology and documentation requirements that must be explicitly addressed in the report. Some frameworks (like ISO 27001 or SOC 2) accept shared pen test reports if they cover the same areas, but the report must be customised for PCI requirements and include network segmentation verification, which is a PCI-specific element.
Does the cloud provider do the pen test for me?
No. The cloud provider (AWS, Azure, GCP) is responsible for the security of the physical infrastructure and cloud platform (shared responsibility model), not the systems and applications the merchant deploys on that platform. The PCI DSS pen test must cover the merchant's systems and applications, even if running in cloud. Many providers require prior notification before performing pen tests on their platform.
Does tokenization eliminate the pen test?
It does not eliminate the pen test, but significantly reduces it. With a minimal CDE, the pen test focuses on the API interfaces with the vault and residual access controls. The PCI Proxy EU vault is already PCI DSS Level 1 certified and undergoes its own pen testing autonomously: you do not need to include the vault infrastructure in your test scope.
Want to reduce the pen test perimeter and associated compliance costs? Discover PCI Proxy EU.