Home
/Checklists
/PCI DSS Penetration Testing Checklist

Web Application26 items

PCI DSS Penetration Testing Checklist

A penetration testing checklist specifically designed to meet PCI DSS requirements 11.3 and 11.4. Covers cardholder data environment (CDE) segmentation validation, application layer testing, network layer testing, and documentation requirements for PCI compliance.

PCI DSS 4.0PA-DSSOWASP Top 10NIST SP 800-115

Progress: 0 of 26 items

Identify and document the Cardholder Data Environment (CDE) boundariesinfo

Map all systems that store, process, or transmit cardholder data and connected systems.

References

PCI DSS v4.0 Penetration Testing Guidance

Review network segmentation architecture and firewall rules

Obtain network diagrams showing CDE segmentation from non-CDE environments.

Confirm testing covers both internal and external attack vectors

PCI DSS requires testing from both inside and outside the network perimeter.

Verify tester qualifications meet PCI DSS requirements

Ensure the testing team is organizationally independent and has appropriate certifications.

Document all payment application versions and payment flows

Map the complete lifecycle of cardholder data from entry to storage or transmission.

Verify that non-CDE systems cannot access CDE network segmentscritical

Test connectivity from every non-CDE segment to CDE systems on all ports.

Commands

nmap -sS -Pn -p- --max-retries 1 <cde_target_range>

Evidence to capture

Nmap scan output from a non-CDE segment showing dropped/filtered ports for the entire CDE range, plus a separate scan from inside the CDE confirming services are reachable internally.

Test firewall rules between CDE and all connected network zonescritical

Validate that only documented and required traffic is permitted between segments.

Validate that wireless networks are properly segmented from CDEhigh

Test that wireless networks cannot route traffic to cardholder data systems.

Test segmentation from third-party and vendor connection pointshigh

Verify that vendor VPN and remote access connections are isolated from the CDE.

Verify DMZ segmentation prevents direct internet access to CDEcritical

Confirm that internet-facing systems cannot directly communicate with CDE systems.

Test payment forms for injection vulnerabilitiescritical

Verify that all payment-related input fields are protected against SQL injection and XSS.

References

OWASP A03:2021 - Injection

Cheat sheet · /cheat-sheets/sql-injection

Verify that cardholder data is encrypted in transitcritical

Confirm TLS 1.2+ is used for all transmissions of cardholder data with strong cipher suites.

Commands

testssl.sh https://payment.target.com

Test for exposure of full PAN in application interfaces and logscritical

Verify that card numbers are masked (first six/last four) in all displays and log files.

Evidence to capture

screenshot or log excerpt showing where unmasked PAN is exposed (with the actual digits redacted in the report) plus the source location (URL or log file path).

Test authentication controls protecting access to cardholder datahigh

Verify unique user IDs, strong passwords, and MFA for administrative access to CDE systems.

References

OWASP Authentication Cheat Sheet

Verify secure deletion of cardholder data past retention periodhigh

Confirm that expired cardholder data is securely deleted and cannot be recovered.

Test payment processing flows for logic bypass vulnerabilitiescritical

Attempt to manipulate transaction amounts, skip verification steps, and replay transactions.

References

OWASP WSTG - Business Logic Testing

Perform external vulnerability scanning of CDE-facing systemshigh

Scan all external IP addresses in the CDE for vulnerabilities as required by ASV scanning.

Commands

nmap -sS -sV --script vuln <cde_external_ips>

Test for exploitable vulnerabilities on CDE infrastructure componentscritical

Attempt exploitation of identified vulnerabilities on servers, databases, and network devices.

Verify that unnecessary services and protocols are disabled on CDE systemshigh

Check for unused ports, default services, and unnecessary protocols on all CDE hosts.

Commands

nmap -sS -sV -p- <cde_target>

Test remote access mechanisms into the CDEhigh

Verify that all remote access requires MFA and is logged and monitored.

Check for presence of unauthorized wireless access points near CDEhigh

Perform wireless scanning to detect rogue access points that could bridge into the CDE.

Commands

airodump-ng wlan0mon

Document testing methodology aligned with PCI DSS 11.3 requirements

Include industry-accepted methodology reference (PTES, NIST SP 800-115) in the report.

Confirm all CDE systems and segmentation controls were tested

Provide evidence that testing coverage included the entire CDE scope.

Classify findings with remediation timelines per PCI DSS requirements

Critical and high findings must be remediated and retested before compliance validation.

Provide evidence of segmentation testing for scope reduction validation

Document segmentation test results to support PCI DSS scope reduction claims.

Prepare report suitable for QSA review during annual assessment

Format the report to meet QSA expectations including tester qualifications and methodology.

Related Vulnerabilities

Injection

critical

Cryptographic Failures

high

Security Misconfiguration

medium

Broken Access Control

critical

Industries Using This Checklist

Financial Services & Banking

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Company

About
Contact
luke@vulnsy.com

PCI DSS Penetration Testing Checklist

Pre-Engagement & Scoping

Network Segmentation Validation

Application Layer Testing

Network Layer Testing

Documentation & Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy