PCI DSS Penetration Testing & Audit Readiness Assessment
If your QSA review is scheduled in the next two to three months, you already know whether you need a penetration test, PCI DSS mandates one. What you need now is a test that produces evidence meeting Requirement 11.3: properly scoped, methodology-documented, and formatted so your assessor doesn’t have to ask follow-up questions.
Generic security engagements don’t produce that. A compliance-scoped assessment does.
Pentest Testing Corp delivers PCI DSS penetration testing and audit readiness assessments built around QSA submission. Every engagement produces a structured evidence package: scoped CDE mapping, a pentest report with requirement-mapped findings, segmentation validation results, compensating controls documentation where needed, and a remediation roadmap your team can close against before the audit window ends.
Trusted by 257+ organizations across 30+ countries. Our team holds API Security for PCI Compliance and eight professional certifications spanning ethical hacking, network security, and information security management.
PCI DSS readiness assessments start from $6,500+. Pricing depends on CDE scope, segmentation complexity, payment flows, and required documentation depth.
What PCI DSS Actually Requires From Security Testing
PCI DSS v4.0 Requirement 11.3 mandates annual penetration testing, both external and internal, against your cardholder data environment. The testing must follow a documented methodology, cover the full CDE perimeter plus any system that could impact CDE security if compromised, include both network-layer and application-layer testing, and produce findings that are either remediated before the audit or covered by formally documented compensating controls.
If your organization uses network segmentation to reduce CDE scope, that segmentation must be tested and validated separately under Requirement 11.3.2. This is a standalone requirement that auditors check specifically and one that frequently surfaces as a gap in organizations that assume their firewall architecture is sufficient without explicit validation results.
The QSA will need a signed report from a qualified, organizationally independent third party. Findings in that report must be mapped to PCI DSS requirements, and the report must demonstrate that identified vulnerabilities were addressed, not simply identified. How they were addressed (remediation or compensating control) must be documented.
Why a Vulnerability Scanner Won’t Satisfy Requirement 11.3
ASV-approved quarterly scans satisfy Requirement 11.3.2 (external vulnerability scanning). They don’t satisfy Requirement 11.3.1 (penetration testing). These are separate requirements with separate evidence expectations, and QSAs are experienced at distinguishing between them.
The difference is substantive. A scanner identifies known signatures and misconfigurations against a static ruleset. A penetration test demonstrates whether a real attacker could chain those findings to reach cardholder data. PCI DSS v4.0 explicitly requires “testing the ability of an attacker to exploit vulnerabilities”, that demands manual exploitation, chained attack paths, and tester judgment that automated tools cannot provide.
Submitting scan results in place of a pentest report creates a compliance finding. More practically, it leaves your organization unaware of the real attack surface your QSA is about to scrutinize.
See our web app penetration testing services and API penetration testing for methodology detail.
What Your QSA Will Look For in the Evidence Package
Assessors reviewing penetration testing evidence check five things consistently.
Tester qualification
The testing organization must be demonstrably independent from your environment. Internal security staff generally don’t qualify, regardless of their certifications. A third-party firm with no operational relationship to your payment environment does.
Methodology documentation
The report must reference a recognized testing framework – PTES, OWASP, or equivalent. Results presented without methodology context are a recurring QSA finding.
Scope completeness
Every system in your CDE, plus systems that could affect CDE security if compromised, must be included. Scope gaps are audit findings, not administrative oversights.
Remediation evidence
Findings can’t simply be listed. The report must show that vulnerabilities were resolved before the audit or that compensating controls are formally documented per PCI DSS Appendix B.
Segmentation validation
If segmentation is your scope-reduction strategy, your QSA needs explicit test results confirming it holds, not a network diagram showing it was intended.
Your PCI DSS Audit Evidence Pack: What You Receive
Every engagement produces a QSA-ready documentation package covering the complete evidence trail your assessor requires. Nothing in this list is generic; each artifact is formatted for direct use in the audit process.
Scoped CDE Network Diagram
A network-layer diagram mapping your CDE boundary, in-scope systems, payment data flows, and segmentation points. Reviewable by your QSA without additional explanation from your team.
External and Internal Penetration Test Report
Full methodology documentation, attack narratives, findings mapped to PCI DSS v4.0 requirement numbers (including 11.3.1.1 and 11.3.2.1), CVSS scores, and per-finding remediation guidance. Written for QSA submission, not internal tracking. View our sample penetration testing report to see the format and finding structure.
Network Segmentation Test Results
Explicit validation of segmentation controls with documented test methodology and pass/fail results. Delivered as a standalone section or supplementary report depending on architectural complexity.
ASV Scan Cross-Reference
We review your quarterly scan results against pentest findings to identify and close discrepancies before your QSA does.
Compensating Controls Documentation
Where a finding can’t be fully remediated before your audit window, we produce formal compensating controls language aligned with PCI DSS Appendix B. This keeps open findings from becoming audit blockers.
Prioritized Remediation Roadmap
Finding-level closure plan with severity, owner placeholder, and target dates built against your specific audit timeline. Not a generic risk register. Full remediation support is covered on our PCI DSS remediation services page.
Executive Summary
Non-technical summary suitable for board-level review and QSA pre-briefing. Appropriate for inclusion in your SAQ or ROC documentation package.
Deliverables are provided in PDF format. CSV export of the findings table is available on request.
Engagement Timeline
For most card-processing environments, the full engagement, from kickoff to evidence pack delivery, runs four to six weeks.
- Week 1: Scope confirmation call, CDE boundary mapping, asset inventory review, rules of engagement documentation, and methodology agreement in writing.
- Weeks 2–3: Active testing: external perimeter, internal network, web and API application layer, and segmentation validation. Testing is manual-led with tool-assisted enumeration, consistent with PCI DSS Req 11.3 guidance.
- Week 4: Report drafting, internal QA review, and a findings walkthrough call with your team.
- Week 5: Remediation window: your team closes critical and high findings; we provide advisory guidance and can verify fixes on request.
- Week 6: Final evidence pack delivery, formatted for QSA submission.
Organizations engaging eight to twelve weeks before their QSA review have time to remediate all critical and high findings and present a clean package. Six weeks is workable for smaller CDEs. Less than four weeks means active findings will likely still be open at submission time, manageable with proper compensating controls documentation, but not ideal.
If your audit is imminent, tell us upfront and we’ll scope an expedited engagement.
Pricing
Pricing scales with CDE complexity, number of in-scope applications, segmentation architecture, and required documentation depth. All engagements include a fixed-price quote confirmed before work begins. Full detail on our pricing page.
| Tier | Starting Price | Best For | Key Inclusions |
|---|---|---|---|
| PCI Scoping Sprint | From $4,500 | CDE not yet mapped; no active QSA timeline | Payment flow analysis · Scope boundary definition · Gap inventory, no active testing |
| Starter | From $6,500 | Initial gap assessment; 3–6 months from audit | CDE scope review · Gap assessment · Remediation roadmap · QSA evidence checklist |
| Professional | From $11,000 | Active pentest required; QSA within 8–12 weeks | Everything in Starter + Active pentest · Segmentation validation · Hardening review · Validation call |
| Enterprise | From $18,000 | Level 1 merchants; multi-vendor CDEs | Everything in Professional + Stakeholder audit support · Assigned-owner remediation roadmap |
Every engagement includes a fixed-price quote confirmed before work begins.
Frequently Asked Questions
Tell us where you are in your PCI DSS cycle
Approaching QSA review, mid-cycle gap, or initial CDE scoping. We’ll confirm what’s in scope, what your evidence package needs to contain, and provide a fixed-price quote within 48 hours.