Select regional store:

PCI DSS Security Testing Solutions

The Payment Card Industry Data Security Standard (PCI DSS) requires system components, processes and custom software to be tested frequently to ensure security is maintained. The testing of security controls is especially important for any environmental changes, such as deploying new software or changing system configurations.

Penetration testing and vulnerability scans

The differences between penetration testing and vulnerability scanning, as required by the PCI DSS, still cause confusion within the industry. The differences can be summarized as follows:

  Requirement 11.2 Requirement 11.3

Regularly test security systems and processes

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved.

After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans.

Quarterly external scans must be performed by an approved scanning vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff.

Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification.

If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective.

Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.


Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system. Establishes whether and how a malicious attacker could gain unauthorised access to your systems and determines whether the controls required by the PCI DSS are in place and effective.


At least quarterly or after significant changes At least annually and upon significant changes.


Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability.

More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited.

Our solution

Powered by Comodo, our HackerGuardian scanning service performs highly accurate scanning of your externally facing systems, as required by the PCI DSS. Meet the penetration testing requirements of the PCI DSS with our comprehensive web application, infrastructure or wireless network penetration tests.


Find out more Find out more

Why IT Governance for PCI DSS security testing?

IT Governance is a CREST-accredited provider of security testing services. Our range of testing services enable organisations of all sizes to effectively manage cyber security risk by identifying vulnerabilities that could expose infrastructure, applications, wireless networks and people to attack.

Choose IT Governance for penetration testing:

  • CREST-certified penetration testing.
  • Experienced across a diverse set of disciplines (web applications, servers, firewalls and Wi-Fi).
  • Testimonials from different industries and customers.
  • Sample reports available.

Speak to an expert

We have a team of account managers and security consultants to discuss your PCI DSS challenges. Get in touch with one of our specialists today for further infromation, or to get a tailored quote for your organization. 

This website uses cookies. View our cookie policy