What is Penetration Testing?

What Is Penetration Testing?

Penetration testing -- often called pen testing or ethical hacking -- is a controlled security exercise in which a skilled tester attempts to exploit vulnerabilities in a system, network, or application. The goal is to find security weaknesses before real attackers do, and to demonstrate the potential impact of those weaknesses if they were exploited.

Unlike automated vulnerability scanning, which simply identifies known issues, penetration testing involves creative, manual techniques that simulate how an actual attacker would behave. A good pen tester thinks like a hacker -- probing for logic flaws, chaining together minor vulnerabilities, and testing whether security controls actually work in practice.

Types of Penetration Testing

External penetration testing

This focuses on your internet-facing systems -- websites, web applications, email servers, VPNs, and firewalls. The tester works from outside your network, attempting to breach the perimeter just as a remote attacker would.

Internal penetration testing

Here the tester starts from inside your network, simulating a scenario where an attacker has already gained initial access -- perhaps through a phishing email or a compromised employee account. The test examines how far an attacker could move laterally through your systems.

Application penetration testing

This targets specific applications, such as payment portals, customer-facing web apps, or APIs. The tester looks for flaws like injection attacks, authentication bypasses, and business logic errors.

Social engineering testing

Some pen tests include attempts to manipulate staff -- through phishing emails, phone calls, or even physical access attempts. This tests the human element of your security, which is often the weakest link.

The Penetration Testing Process

A professional penetration test typically follows a structured methodology:

• Scoping and planning -- Defining what will be tested, what methods are permitted, and what is out of bounds. This includes agreeing on the testing window and emergency contacts
• Reconnaissance -- Gathering information about the target systems, including publicly available data, DNS records, and technology fingerprints
• Vulnerability identification -- Using both automated tools and manual techniques to find potential entry points
• Exploitation -- Attempting to exploit identified vulnerabilities to gain access, escalate privileges, or extract data
• Post-exploitation -- Assessing what an attacker could do once inside -- accessing sensitive data, moving to other systems, or maintaining persistent access
• Reporting -- Documenting all findings with clear descriptions, evidence, risk ratings, and remediation recommendations

Penetration Testing and PCI DSS

PCI DSS Requirement 11.4 mandates that organisations perform penetration testing at least annually and after any significant change to their environment. The requirement specifies that tests must cover:

• The entire cardholder data environment (CDE) perimeter
• Critical systems within the CDE
• Both network-layer and application-layer testing
• Testing from both inside and outside the network

PCI DSS v4.0 strengthened the penetration testing requirements further. The standard now requires that the testing methodology be documented and that tests validate the effectiveness of network segmentation controls at least every six months for service providers.

Who can perform PCI penetration tests?

PCI DSS does not require the use of a specific certification or qualified assessor for penetration testing (unlike vulnerability scanning, which requires an ASV for external scans). However, the tester must be qualified, experienced, and independent of the systems being tested. Most organisations hire specialist firms, though internal teams can perform tests if they meet the independence and competence requirements.

Penetration Testing for Telephone Payment Environments

Contact centres and telephone payment systems present unique targets for penetration testing. Testers should examine:

• Whether DTMF tones can be intercepted or decoded from call recordings
• The security of IVR payment systems and their integration with payment gateways
• Agent desktop applications and whether card data could be captured through screen recording or memory scraping
• Network segmentation between the telephony environment and the cardholder data environment
• API connections between the telephone payment platform and backend systems

A thorough pen test of a telephone payment environment should verify that the security controls -- such as DTMF masking -- are actually working as intended and cannot be bypassed.

How Often Should You Pen Test?

PCI DSS sets the minimum at annually and after significant changes. However, many security-conscious organisations test more frequently -- particularly if they handle high volumes of transactions or operate in regulated industries. Some businesses run continuous penetration testing programmes where testers probe systems on an ongoing basis.