A computer screen with the words back the web on it

Do I Need a Penetration Test?

by

Do I Need a Penetration Test? A Beginner’s Guide to PCI DSS Testing Requirements

Introduction

If you’re asking “do I need penetration test PCI compliance?” you’re not alone. This is one of the most common questions businesses face when starting their Payment Card Industry (PCI) compliance journey. The answer isn’t always straightforward, but this guide will help you understand exactly when penetration testing is required and what it means for your business.

What You’ll Learn

In this guide, we’ll cover:

  • What penetration testing actually is (in plain English)
  • Which businesses need penetration testing for PCI compliance
  • When you can skip penetration testing
  • How to prepare for and manage the testing process
  • Common mistakes to avoid

Why This Matters

If your business accepts, processes, stores, or transmits credit card information, PCI compliance isn’t optional—it’s mandatory. Penetration testing might be one of your requirements, and understanding whether you need it can save you thousands of dollars and countless hours of confusion.

Who This Guide Is For

This guide is perfect for:

  • Small business owners accepting credit cards
  • IT managers new to PCI compliance
  • Anyone confused about penetration testing requirements
  • Business leaders wanting to understand their compliance obligations

The Basics

What Is Penetration Testing?

Think of penetration testing (often called “pen testing”) as a friendly burglar test. You hire ethical hackers to try breaking into your systems—but instead of stealing anything, they write a report showing you where your security weaknesses are. It’s like having someone test all your doors and windows before real criminals find the weak spots.

Key Terminology Made Simple

Penetration Test: A simulated cyber attack on your systems to find security vulnerabilities

External Testing: Testing your internet-facing systems (like your website)

Internal Testing: Testing systems inside your network

Segmentation Testing: Verifying that your card data environment is properly separated from other systems

PCI DSS: Payment Card Industry Data Security Standard—the rules you must follow to accept credit cards

How It Relates to Your Business

Your need for penetration testing depends on three main factors:
1. How many transactions you process annually
2. How you process card payments
3. Your specific merchant level

Different businesses have different requirements, and understanding where you fit is crucial for determining your testing needs.

Why It Matters

Business Implications

Penetration testing isn’t just a checkbox exercise. It provides real value by:

  • Identifying security weaknesses before criminals do
  • Protecting your customers’ sensitive data
  • Maintaining your ability to accept credit cards
  • Building trust with your customers
  • Potentially lowering cyber insurance premiums

Risk of Non-Compliance

Skipping required penetration testing can lead to:

  • Fines from $5,000 to $100,000 per month
  • Loss of credit card processing privileges
  • Liability for fraudulent transactions
  • Damage to your business reputation
  • Increased transaction fees

Benefits of Compliance

When you complete required penetration testing, you:

  • Demonstrate commitment to security
  • Often discover vulnerabilities you didn’t know existed
  • Gain valuable insights into your security posture
  • Meet compliance requirements with confidence
  • Sleep better knowing your systems are tested

Step-by-Step Guide

Step 1: Determine Your Merchant Level

Your merchant level depends on your annual transaction volume:

  • Level 1: Over 6 million transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 3: 20,000 to 1 million transactions annually
  • Level 4: Fewer than 20,000 transactions annually

Step 2: Identify Your SAQ Type

Your Self-Assessment Questionnaire (SAQ) type determines your testing requirements:

  • SAQ A: Card-not-present merchants, fully outsourced
  • SAQ A-EP: E-commerce merchants partially outsourced
  • SAQ B: Imprint or standalone terminals only
  • SAQ B-IP: Standalone IP-connected terminals
  • SAQ C: Payment systems connected to internet
  • SAQ D: All other merchants

Step 3: Check Your Testing Requirements

Here’s when you need penetration testing:

  • Always required: SAQ D merchants and all Level 1 merchants
  • Sometimes required: Based on acquirer requirements
  • Not required: Most SAQ A, B, and C merchants (but recommended)

Step 4: Plan Your Testing Timeline

If you need penetration testing:
1. Budget 4-8 weeks for the entire process
2. Schedule testing during slower business periods
3. Plan for annual testing (required)
4. Allow time for fixing any findings

Step 5: Choose Your Testing Approach

You’ll need to decide on:

  • Internal vs. external testing (Level 1 requires both)
  • Automated vs. manual testing (manual is typically required)
  • Selecting a qualified testing company

Common Questions Beginners Have

“Is vulnerability scanning the same as penetration testing?”

No! Vulnerability scanning is like using a checklist to look for known issues. Penetration testing is like hiring someone to actively try breaking in. Most merchants need vulnerability scanning; only some need penetration testing.

“Can I do penetration testing myself?”

PCI DSS requires penetration testing to be performed by qualified individuals with organizational independence. This typically means hiring an external company or having a separate internal team—you can’t test your own work.

“How much does penetration testing cost?”

Costs vary widely based on scope:

  • Small business external test: $5,000-$15,000
  • Medium business full test: $15,000-$30,000
  • Large enterprise testing: $30,000+

“What if the test finds problems?”

This is expected! Most tests find issues. You’ll receive a report detailing:

  • What was found
  • Risk levels
  • Recommended fixes
  • Retesting requirements

Mistakes to Avoid

Common Beginner Errors

1. Assuming you need penetration testing when you don’t
– Many small merchants only need vulnerability scanning
– Check your actual requirements before spending money

2. Confusing different types of testing
– Penetration testing ≠ vulnerability scanning
– Make sure you’re getting what PCI requires

3. Choosing the cheapest option
– Quality matters in security testing
– Cheap tests might miss critical vulnerabilities

4. Testing without preparation
– Notify your hosting provider
– Backup your systems
– Inform your team

How to Prevent These Mistakes

  • Start by determining your exact requirements
  • Get multiple quotes and compare scope, not just price
  • Ask for sample reports before hiring
  • Verify the tester’s qualifications
  • Plan thoroughly before testing begins

What to Do If You Make Them

If you’ve already made mistakes:

  • Don’t panic—you can fix them
  • Document what happened
  • Correct the issue going forward
  • Consider retesting if necessary
  • Learn for next year’s requirements

Getting Help

When to DIY vs. Seek Help

Do it yourself when:

  • You’re determining your merchant level
  • You’re identifying your SAQ type
  • You’re gathering documentation

Seek professional help when:

  • You’re unsure about requirements
  • You need actual penetration testing
  • You’re facing complex SAQ P2PE
  • You’ve failed previous compliance attempts

Types of Services Available

1. Qualified Security Assessors (QSAs)
– Can validate your compliance
– Provide official assessments
– More expensive option

2. Approved Scanning Vendors (ASVs)
– Provide required vulnerability scans
– Not the same as penetration testing

3. Penetration Testing Companies
– Perform required testing
– Provide detailed reports
– Help with remediation guidance

How to Evaluate Providers

Look for:

  • PCI DSS knowledge and experience
  • Clear pricing and scope
  • Sample reports you can understand
  • References from similar businesses
  • Proper certifications and qualifications
  • Good communication skills

Next Steps

What to Do After Reading

1. Determine your merchant level using your transaction volume
2. Identify your SAQ type based on how you process payments
3. Check if you need penetration testing using the requirements above
4. Plan your approach if testing is required
5. Take action to meet your requirements

Related Topics to Explore

  • PCI DSS vulnerability scanning requirements
  • Network segmentation strategies
  • Security awareness training
  • Incident response planning
  • PCI compliance maintenance

Resources for Deeper Learning

  • PCI Security Standards Council website
  • Your merchant bank’s compliance resources
  • Industry-specific compliance guides
  • Security community forums and groups

FAQ

Q: How often do I need penetration testing for PCI compliance?
A: If required, penetration testing must be performed annually and after any significant infrastructure or application changes.

Q: Can I use automated tools instead of manual penetration testing?
A: PCI DSS requires manual testing techniques. While automated tools can supplement testing, they cannot replace manual penetration testing where it’s required.

Q: What’s the difference between external and internal penetration testing?
A: External testing simulates attacks from outside your network (like from the internet), while internal testing simulates attacks from inside your network (like from a compromised employee computer).

Q: Do I need penetration testing if I don’t store credit card data?
A: Possibly. The requirement depends on your merchant level and SAQ type, not just whether you store data. Level 1 merchants always need testing regardless of storage.

Q: Can I fail PCI compliance if my penetration test finds vulnerabilities?
A: Finding vulnerabilities doesn’t automatically mean failure. You’ll need to fix critical and high-risk findings and have them retested, but the test itself is meant to find issues.

Q: Who can perform PCI penetration testing?
A: Testing must be performed by qualified individuals with organizational independence, relevant experience, and penetration testing certifications or credentials.

Conclusion

Understanding whether you need penetration testing for PCI compliance doesn’t have to be overwhelming. Start by determining your merchant level and SAQ type—these two factors will tell you whether penetration testing is required for your business.

Remember, even if penetration testing isn’t required for your compliance, it’s often a smart security investment that can protect your business and customers from cyber threats.

Ready to determine your exact PCI requirements? Try our free PCI SAQ Wizard tool at PCICompliance.com to quickly identify which SAQ applies to your business and start your compliance journey with confidence. Our wizard walks you through simple questions about your payment processing and instantly shows your requirements—including whether you need penetration testing.

PCICompliance.com helps thousands of businesses achieve and maintain PCI DSS compliance with affordable tools, expert guidance, and ongoing support. Let us help you navigate your compliance requirements with clarity and confidence.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP