What It Is
Not a pentest methodology — a compliance interpretation document. PCI PTG tells you what PCI Qualified Security Assessors (QSAs) expect from a penetration test that satisfies PCI DSS Requirement 11.3/11.4. It bridges the gap between generic pentest standards and PCI-specific scoping rules.
Key requirements:
- Scoping — Cardholder Data Environment (CDE) boundaries, connected systems, out-of-scope justification
- Segmentation Validation — Prove that network segmentation actually isolates the CDE
- Application-Layer Testing — Must cover OWASP Top 10 at minimum
- Network-Layer Testing — Must cover both internal and external network segments
- Retesting — Remediated findings must be retested and verified
- Significant Change — Defines what triggers a retest outside the annual cycle
- Assessor Qualifications — What the QSA expects from the pentest team
Why It Matters
The segmentation testing requirement is unique to PCI and frequently misunderstood. Many organizations assume their network segmentation works because it was configured correctly — PCI PTG requires you to prove it by testing from both sides. Failed segmentation testing means the entire “out of scope” argument collapses, and everything connected becomes in-scope.
When to Use It
Any pentest engagement scoped against PCI DSS requirements. If your client processes, stores, or transmits cardholder data and needs a pentest for PCI compliance, this document defines what “good enough” means.
The Offensive Angle
Segmentation testing is where pentesters find gold. “The CDE is segmented” is a claim. Testing is the proof. When segmentation fails — and it fails more often than organizations expect — the blast radius of a breach just expanded from “one VLAN” to “the entire network.” Segmentation validation is some of the highest-value work a pentester does.
Pairs Well With
- PTES — Engagement methodology for the technical testing
- OWASP WSTG — Satisfies the application-layer testing requirement
- NIST 800-115 — Governance framework for the overall assessment process