PCI DSS penetration testing is one of the most costly and often least understood obligations of the standard. Many merchants confuse pen testing with vulnerability scanning, underestimate costs or are unsure exactly when it is mandatory. Requirement 11.4 of PCI DSS v4 specifies precisely who must perform the pen test, how frequently and by what criteria. Reducing the perimeter to be tested through tokenization is the most effective lever for cutting the cost of this recurring obligation.
The pen test obligation in PCI DSS: requirements and frequency
PCI DSS requires penetration testing for merchants that have their own systems in their CDE (Cardholder Data Environment). It does not apply to merchants with SAQ A scope, who have no systems of their own touching card data. For all others, Requirement 11.4 of PCI DSS v4 establishes that the pen test must be performed at least once a year and after any significant change to the infrastructure or applications in the CDE perimeter. The requirement applies to both web applications and network infrastructure, with distinct approaches for the two levels.
The PCI DSS pen test must follow a recognised methodology (OWASP, PTES, NIST SP 800-115 or equivalent) and must include both tests from outside (external pen test) and from inside the perimeter (internal pen test). It must test network segmentation controls, verifying that the CDE is effectively isolated from the rest of the corporate network. In PCI DSS v4 the requirements for documenting results and remediation plans have been strengthened: it is not sufficient to perform the test, you must demonstrate that critical vulnerabilities identified have been resolved within the prescribed timeframes.
How much does a PCI DSS pen test cost
Costs of a PCI DSS pen test vary significantly based on infrastructure complexity and the number of systems in the perimeter. For a mid-sized merchant with a CDE including web servers, databases, back-office systems and network infrastructure, the typical cost of an annual pen test ranges from €8,000 to €30,000. For more complex infrastructure or merchants with custom applications, costs can be higher. Added to this are remediation costs for identified vulnerabilities and the cost of a verification pen test (retest) that many acquirers require after resolution of critical vulnerabilities.
The difference between pen testing and vulnerability scanning is fundamental to understanding costs. Vulnerability scanning is an automated process that identifies known vulnerabilities by comparing them against databases like CVE. PCI DSS requires quarterly vulnerability scanning by an approved ASV, with costs starting from a few hundred euros per scan. The pen test is instead a manual activity conducted by security professionals who actively attempt to exploit identified vulnerabilities to verify real impact. It cannot be replaced by automated vulnerability scanning, even though the two tools complement each other.
Reducing pen test costs by reducing the perimeter
The cost of a PCI DSS pen test is directly proportional to the size and complexity of the perimeter to be tested. Every system in the CDE must be included in the pen test scope: more systems mean more work hours, higher cost. A CDE including 10 servers, 3 databases, 2 web applications and a segmented network will cost many times more to test than a minimal CDE.
Tokenization reduces the CDE and, consequently, the pen test perimeter. If your servers never handle PANs, they do not need to be included in the PCI DSS pen test: testing focuses only on the components managing tokens and the communication interfaces with the PCI Proxy EU vault, which is already Level 1 certified. Annual savings on pen testing alone can exceed the cost of the tokenization solution.
Frequently asked questions
Does a PCI pen test need to be done by a certified provider?
PCI DSS does not require the pen test to be performed by a provider certified by a specific body, unlike vulnerability scanning which must be done by an approved ASV. PCI SSC requires the pen test to be performed by qualified and independent personnel (internal or external) with demonstrable offensive security skills. In practice, most acquirers and QSAs accept pen tests conducted by security firms with recognised certifications like OSCP, CEH or CREST. Check with your acquirer for specific requirements.
What happens if the pen test finds critical vulnerabilities?
If the pen test identifies critical vulnerabilities, the merchant must resolve them within the timeframes of their remediation plan and, typically, perform a verification pen test (retest) to confirm the vulnerabilities have been effectively corrected. PCI DSS v4 requires documentation of the remediation process. If critical vulnerabilities are not resolved, the merchant cannot attest PCI DSS compliance for that assessment cycle, which can result in remediation demands from the acquirer.
With a reduced CDE is the pen test really cheaper?
Yes, significantly. A pen test's cost depends on the number of systems, applications and network interfaces in the perimeter. A CDE reduced to a few systems (or eliminated) reduces the test cost proportionally. An SAQ A merchant has no CDE of their own and is not subject to the pen test requirement: the saving is 100% on this item. A merchant with CDE reduced to 3-5 systems will pay a pen test 5-10 times less than a merchant with a full CDE of 50 components.
Reduced perimeter means faster, cheaper pen test and often no requirement at all: tokenization is the most efficient investment to reduce recurring PCI DSS compliance costs. Discover PCI Proxy EU.