PCI DSS security testing requirements
PCI DSS v4.0 outlines specific requirements for security testing. The most relevant for Nigerian fintechs are in Requirement 6 (secure development), Requirement 11 (regular testing), and Requirement 12 (security policies).
Requirement 11.4 — Penetration Testing
Annual penetration testing is mandatory. Tests must cover the entire CDE from both internal and external perspectives. If segmentation is used to reduce CDE scope, segmentation controls must be tested at least every six months.
Requirement 11.3 — Vulnerability Scanning
Quarterly external ASV scans and internal vulnerability scans are required. All "high" and "critical" vulnerabilities must be addressed and rescanned before the scan passes. This is separate from — and complementary to — penetration testing.
Requirement 6.2 — Secure Development
Custom software must be developed securely, with code reviews or application security testing before production release. This applies to every fintech building its own payment processing logic, checkout pages, or tokenization services.
Requirement 12.10 — Incident Response
You must have a documented incident response plan that is tested annually. Penetration testing findings directly inform and improve this plan by demonstrating which attack vectors are most likely to succeed.
Scoping your Cardholder Data Environment
Accurate CDE scoping determines testing cost and coverage. Everything that touches cardholder data is in scope — and everything connected to those systems is also in scope unless proper network segmentation (validated by testing) proves isolation.
Map cardholder data flows
Trace where card numbers enter your system (checkout, API, mobile app), where they're processed (tokenization, payment processor calls), and where they're stored (if at all). Every system in this flow is in your CDE.
Identify connected systems
Any system that can communicate with CDE systems — even indirectly — is in scope unless segmentation is proven. This includes admin dashboards, logging servers, and monitoring tools that have network access to CDE components.
Validate segmentation
If you've segmented your network to reduce CDE scope, those segmentation controls must be tested at least every six months. We validate that non-CDE systems truly cannot reach cardholder data, even with elevated privileges.
Logging server in the CDE
A payment processor believed their CDE was limited to two application servers. However, their centralized logging system received full API request/response payloads — including unmasked card numbers — from the payment flow. The logging server was accessible to the entire engineering team. This expanded the true CDE scope significantly and required immediate remediation.
Need a PCI-compliant penetration test? We scope it to satisfy your assessor.
Get a Quick Security CheckRelated services and resources
PCI DSS penetration testing overlaps with our standard penetration testing and vulnerability assessment services. For Nigerian regulatory requirements beyond PCI, see our CBN compliance guide and NDPA data protection guide. If you're a payment gateway, see our payment gateway security testing page for industry-specific context.
Frequently asked questions
Does PCI DSS apply to Nigerian fintechs?
Yes. Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS, regardless of geography. This includes Nigerian payment gateways, processors, acquirers, and any fintech that handles card numbers — even if briefly during a checkout flow.
What does PCI DSS require for penetration testing?
PCI DSS Requirement 11.4 mandates annual penetration testing of the Cardholder Data Environment (CDE), testing from both internal and external perspectives, and testing of network segmentation controls. Tests must be performed by qualified, independent testers using industry-accepted methodologies.
What's the difference between a PCI ASV scan and a penetration test?
An ASV (Approved Scanning Vendor) scan is an automated quarterly external vulnerability scan required by PCI DSS. A penetration test is a deeper, manual assessment that actively exploits vulnerabilities. Both are required — the ASV scan provides volume coverage, while the pentest proves real-world exploitability. An ASV scan alone won't satisfy PCI penetration testing requirements.
How do I scope my Cardholder Data Environment for PCI testing?
Your CDE includes every system that stores, processes, or transmits cardholder data, plus any system directly connected to those systems. Proper network segmentation can reduce CDE scope significantly. We help you map the CDE accurately during scoping to ensure testing covers the right systems without unnecessary cost.
Can a single pentest satisfy both PCI DSS and CBN requirements?
Often, yes. With proper scoping, a penetration test can be structured to satisfy both PCI DSS Requirement 11.4 and CBN's annual penetration testing mandate. Our reports are formatted to address both frameworks, saving you from paying for two separate engagements.