Understanding PCI DSS Compliance: Penetration Testing, Quarterly Scanning, QSA, and SAQ Guidance 

Penetration Testing for PCI DDS Compliance 

Penetration testing simulates real-world cyber attacks on your network, applications, and systems. By identifying vulnerabilities before an attacker does, businesses can address security weaknesses and maintain a strong security posture. PCI DSS 4.0.1 mandates both internal and external penetration tests, which must be performed at least once a year or after significant system changes (see Requirement 11.4). 

Quarterly Vulnerability Scanning for PCI DDS Compliance 

In addition to annual penetration tests, PCI DSS requires that external-facing systems undergo quarterly vulnerability scans—typically performed by an Approved Scanning Vendor (ASV). These scans help identify new vulnerabilities that might emerge between penetration tests.  

For internal assets, vulnerability scanning is required for those systems that are part of or connected to the Cardholder Data Environment (CDE) or could impact its security. In practice, many organizations choose to scan both internal and external assets quarterly, providing continuous monitoring and enabling prompt remediation of potential risks (refer to Requirement 11.2). 

Qualified Security Assessors (QSAs) 

QSAs are certified professionals responsible for evaluating whether an organization meets all PCI DSS requirements. To qualify, a QSA company must: 

• Obtain and maintain certification from the PCI Security Standards Council 
• Follow documented methodologies and conduct independent, thorough testing 
• Engage in ongoing training and periodic recertification 
• Maintain strict independence and robust confidentiality safeguards 

 This ensures every penetration test, quarterly scan, and overall assessment is accurate and trustworthy (detailed guidance on QSA requirements can be found in the PCI SSC QSA Qualification Requirements—see Section 2.2 for Independence and Section 4.4 for Protection of Confidential and Sensitive Information). 

Self-Assessment Questionnaires (SAQs) 

For many merchants, the SAQ is a self-guided tool to verify PCI DSS compliance. Depending on your business model, different SAQs apply: 

• SAQ A and SAQ C‑VT are for merchants that outsource most payment processing—generally exempt from conducting their own penetration tests 
• SAQ A‑EP, SAQ C, and SAQ D cover environments with internet-facing systems or more complex setups and require regular penetration testing and quarterly vulnerability scanning to ensure comprehensive security (more details in SAQ guidance) 

Which SAQ Types Need Penetration Testing? 

• SAQ A: No penetration testing is required because all processing is outsourced 
• SAQ A‑EP: Penetration testing is required due to the involvement of internet-facing websites that impact the transaction process 
• SAQ B and SAQ B‑IP: Typically do not require penetration testing as they involve minimal network connectivity 
• SAQ C: Requires penetration testing because the payment applications are connected to the internet 
• SAQ C‑VT: No testing is needed since the environment is managed and secured by a service provider 
• SAQ D: This comprehensive questionnaire requires penetration