While quarterly PCI ASV scans are essential for compliance, they’re only one layer in the defense-in-depth strategy promoted by PCI DSS v4.0.1. A complete compliance program also requires annual penetration testing—a more advanced form of security testing that simulates real-world attacks.
At 1 Stop PCI Scan, powered by Backbone Security, we offer professional, low-cost penetration testing services designed to help you meet your compliance requirements and strengthen your overall security posture.
Penetration testing (or “pen testing”) simulates how a malicious actor might try to exploit your network, applications, or internal systems. Unlike automated scans, a pen test includes manual techniques and real-world attack strategies to identify and validate vulnerabilities that scanners may miss.
According to PCI DSS v4.0.1, penetration testing is required under Section 11.4:
11.4.2.1: Perform external penetration testing at least annually and after any significant infrastructure or application changes.
11.4.2.2: Perform internal penetration testing at least annually.
11.4.4: Test from both inside and outside the network environment to identify exploitable paths.
Pen testing is required for organizations completing a SAQ A-EP, SAQ-C, or SAQ D—and is strongly recommended for all entities that store, process, or transmit cardholder data.
While both serve to identify vulnerabilities, they differ significantly in scope, method, and depth:
| PCI Scanning | Penetration Testing | |
|---|---|---|
| Automated | ✅ Yes | 🚫 No (mostly manual) |
| Frequency | Quarterly (for external) | Annually (internal + external) |
| Focus | Detects known vulnerabilities | Explores real-world attack paths |
| Requirements | All merchants with external IPs | SAQ A-EP, SAQ C, SAQ D merchants, service providers, and ROC environments |
| Report Type | ASV scan report | Custom penetration test report with risk ratings and remediation advice |
Our skilled penetration testers are Offensive Security Certified Professionals (OSCPs)—trained to mimic real-world attackers and uncover serious risks. Each penetration test includes:
✅ External and/or internal network penetration testing
✅ Manual testing techniques aligned with MITRE ATT&CK and OWASP
✅ Detailed reporting with risk ratings, attack vectors, and remediation steps
✅ Post-test consultation with our team to help you interpret and act on results
✅ Retesting after remediation (if requested)
Unlike PCI scanning, penetration testing is not one-size-fits-all. The cost of a penetration test depends on the size, complexity, and scope of your environment, along with your specific compliance goals.
Variables that impact pricing include:
Number of IP addresses, hosts, or systems in scope
Presence of web applications (especially those accepting payment data)
Use of APIs, single-page apps, or JavaScript-heavy front-ends
Mobile application testing (iOS, Android, hybrid apps, etc.)
Internal vs. external testing requirements
Authenticated testing across various user roles (admin, vendor, customer, etc.)
Inclusion of wireless network testing
Physical security assessments (onsite optional)
Depth of testing required:
Standard compliance-based testing
Advanced adversarial simulations (red teaming)
Social engineering or phishing simulations
We’ll work with you to define the right scope, avoid unnecessary over-testing, and ensure your organization gets the exact level of testing it needs to satisfy PCI DSS v4.0.1, SAQ, or ROC requirements.
🛡 Backed by Backbone Security, experts in ethical hacking and PCI compliance
🎯 All tests performed by OSCP-certified professionals
💼 We specialize in working with Level 1–4 merchants and service providers
⚙️ Testing tailored to your PCI DSS v4.0.1 obligations
💡 Education-focused reporting that helps your team improve
📅 Request a Free Penetration Test Consultation
We’ll help you determine the right scope and ensure your business is meeting its compliance and cybersecurity goals.
1 Stop PCI Scan – A Division of Backbone Security, Inc.