PCI DSS Annual Penetration Test

PCI DSS v3.2 requires merchants to implement a methodology for penetration testing annually or after any significant infrastructure change, that includes the following:

  • Is based on industry-accepted penetration testing approaches
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines network-layer penetration tests to include components that support network function as well as operating system
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results

Merchants who fail to meet these requirements may risk fines, damage to reputation or even legal action.

Piratica offers an annual internal PCI DSS penetration test that meets or exceeds the PCI DSS v3.2 requirements and, for merchants who take advantage of the PCI DSS quarterly scans, a 20% discount.


  • Complete the PCI DSS Authorization to Test
  • Piratica will reach out to schedule a Scope Meeting to Meet with the / a decision maker(s), the primary and secondary contact and the technical contact to establish the Scope and rules of engagement (RoE), and to draft the Engagement Agreement.


  • Unlike the Quarterly PCI DSS vulnerability scans, there is no way to offer a one-size-fits-all fixed price for the annual penetration test. The cost will be based on the scope of the engagement.


  • Penetration Tests are typically scheduled 30 to 45 days in advance.

Frequently Asked Questions

  • PCI DSS Requirement 6.1 requires merchants to identify security vulnerabilities using reputable outside sources. How does Piratica rank vulnerabilities? We use the CVSS v3.0 Base Score and provide detailed information about the discovered vulnerabilities so that the client can calculate the temporal and environmental score.