April 21, 2026 · 6 min read

PCI DSS Penetration Testing in UAE - A Practical Compliance Guide

Q: "Does PCI DSS v4.0 require penetration testing?"

"Yes. PCI DSS v4.0 Requirement 11.4 explicitly requires external and internal penetration testing annually and after significant changes. Requirement 11.4.3 requires application-layer penetration testing. Requirement 11.4.5 requires segmentation testing at least every 12 months (semi-annually for Level 1 service providers under v4.0). Testing must be by a qualified internal resource or external party with demonstrated independence from the cardholder data environment being tested."

Q: "Who in UAE is subject to PCI DSS penetration testing?"

"Any UAE organization storing, processing, or transmitting cardholder data: acquirers and payment service providers, merchant payment processors, card scheme participants, e-commerce and retail merchants accepting cards, hospitality operators, service providers handling cardholder data, call centres taking card-not-present payments, and fintechs with card rails. Scope ranges from SAQ for smaller merchants to full Report on Compliance (RoC) audits for Level 1 merchants and service providers."

Q: "What is segmentation testing and why is it important?"

"Segmentation testing validates that non-CDE (Cardholder Data Environment) networks cannot access the CDE. Under PCI DSS v4.0 it is annually required (semi-annually for Level 1 service providers). Proper segmentation testing requires attempts to reach CDE from every non-CDE network segment, both authenticated and unauthenticated attack paths, protocol-level testing not just port scanning, and validation of both ingress and egress controls. Most commonly failed requirement in UAE audits."

Q: "Can one testing firm do both CBUAE and PCI DSS testing?"

"Yes, and for UAE banks and payment institutions it is typically coordinated. PCI DSS focuses on CDE (Cardholder Data Environment). CBUAE Information Security covers the whole institution. Frameworks overlap but are not identical. A coordinated engagement scoped for both frameworks produces two separate reports (or one report with clearly separated sections) for different regulator audiences. We deliver both concurrently for UAE card-processing clients."

Q: "How much does PCI DSS penetration testing cost in UAE?"

"Depends on CDE size. Small CDE (focused card-processing application, minimal infrastructure) runs AED 60,000-120,000 for annual PCI-scope testing. Medium CDE (multiple applications, hybrid cloud, mid-size infrastructure) AED 150,000-300,000 including segmentation testing. Large CDE (Level 1 service providers, major banks) AED 400,000+ including semi-annual segmentation testing. Our engagements explicitly include segmentation testing evidence separated from application/infrastructure testing."

PCI DSS penetration testing requirements for UAE payment firms, retailers, fintechs, and service providers. Scope, frequency, segmentation testing, common findings, and integration with CBUAE, VARA, DFSA reporting.

PCI DSS penetration testing is an explicit requirement of the Payment Card Industry Data Security Standard for any entity that stores, processes, or transmits cardholder data. For UAE payment firms, retailers, fintechs, hospitality operators, and service providers, PCI DSS compliance is both a card scheme obligation and a customer expectation - and the testing bar under PCI DSS v4.0 is higher than most UAE implementations currently meet.

This guide walks through what PCI DSS v4.0 actually requires of penetration testing, where UAE implementations typically fall short, and how PCI DSS testing intersects with CBUAE, VARA, and DFSA obligations for entities subject to multiple frameworks.

Who Is in PCI DSS Scope in the UAE

PCI DSS applies to any organization that stores, processes, or transmits cardholder data. In the UAE, this includes:

Acquirers and payment service providers licensed under the CBUAE Retail Payment Services and Card Schemes Regulation
Merchant payment processors and card scheme participants
E-commerce and retail merchants accepting card payments directly
Hospitality operators - hotels, restaurants, entertainment venues processing card payments
Service providers handling cardholder data on behalf of merchants
Call centres taking card-not-present payments
Fintechs with any card rail involvement

Scope typically ranges from SAQ (Self-Assessment Questionnaire) for smaller merchants to full Report on Compliance (RoC) audits for Level 1 merchants and service providers. Penetration testing requirements scale with the compliance level.

What PCI DSS v4.0 Requires of Penetration Testing

PCI DSS Requirement 11.4 covers penetration testing specifically. The v4.0 expectations (in effect from March 2025):

Scope Coverage

External and internal testing - both perimeter and post-foothold
Network-layer and application-layer testing - infrastructure plus applications that process cardholder data
Segmentation testing - validation that non-CDE (Cardholder Data Environment) networks cannot access the CDE
Wireless testing where wireless technology is within scope
Social engineering - for Level 1 service providers and Level 1 merchants

Frequency

Annually at minimum
After significant changes - infrastructure upgrades, application changes, network architecture modifications
For Level 1 service providers - semi-annual segmentation testing under PCI DSS v4.0

Tester Requirements

Qualified security tester - with appropriate experience and methodology
Independent from the entity being tested - not internal staff, not the same firm that performs the annual RoC audit (separation of audit and testing functions)
Documented methodology - NIST SP 800-115, OSSTMM, PTES, OWASP, or equivalent

Deliverables

Pentest report with findings, severity, exploitability assessment, and remediation guidance
Segmentation testing evidence distinct from application/infrastructure testing
Remediation validation - documented retesting of critical and high findings
Risk-based scoring - aligned to CVSS or equivalent

Segmentation Testing - The Most Commonly Failed Requirement

Under PCI DSS v4.0, segmentation testing is the most frequently failed requirement in UAE audits. Reasons:

Organizations claim network segmentation without independent verification
Testing is performed by internal teams with insider knowledge, not adversarial
Scope is too narrow - testing some segments, not all adjacencies
Segmentation controls are documented as stateful firewalls but turn out to be routing-only

Proper segmentation testing requires:

Attempts to reach CDE from every non-CDE network segment
Both authenticated (compromised user credential) and unauthenticated (external position) attack paths
Protocol-level testing, not just port scanning
Validation of both ingress and egress controls
For v4.0 Level 1 service providers - twice annually

Common PCI DSS Findings in UAE Environments

Patterns across UAE PCI engagements:

CDE boundary violations

Management/jump hosts in CDE accessible from corporate network without step-up controls
Backup and monitoring systems in CDE with outbound access to general corporate infrastructure
Cloud-hosted CDE workloads with IAM principals from non-CDE accounts

Application-layer cardholder data exposure

Cardholder data logged in application or infrastructure logs outside CDE
Card data in error messages or debug output
Insufficient input validation leading to card data in unexpected backend systems
Caching layers outside CDE storing cardholder data

Cryptographic control weaknesses

Hardcoded key material in application code
Weak key management practices - single human custodian, no split-knowledge/dual-control
Legacy TLS configurations (TLS 1.0/1.1 still present)
Certificate lifecycle management gaps

Access control

Shared accounts in CDE
Insufficient multi-factor authentication for all CDE administrative access
Privileged access reviews not performed as documented
Former employees with residual CDE access

Vulnerability management velocity

Patch cadence slower than PCI DSS v4.0 expectations
Vulnerability scanning performed but remediation not tracked to closure
Compensating controls documented but not evidentially implemented

PCI DSS and Other UAE Frameworks

Many UAE entities are subject to both PCI DSS and UAE regulatory frameworks. The overlap:

CBUAE-licensed banks and payment institutions - PCI DSS applies to their card operations plus CBUAE Information Security standards apply to the whole institution. Testing can be coordinated, but scope is different. PCI DSS is CDE-focused, CBUAE is institution-wide. One annual engagement can cover both with appropriate scope design.

VARA-licensed crypto VASPs with fiat ramps - PCI DSS applies to the fiat card-processing component, VARA Technology and Information Risk applies to the full platform. Integration with banking partner infrastructure creates additional scope.

DFSA-licensed DIFC financial firms - PCI DSS applies where card payments are processed. DFSA Rulebook applies to the firm. Scope and testing coordination required.

NESA CII entities - if the entity processes cards (some large retail, hospitality, telecom operators), PCI DSS applies to card operations; NESA applies institution-wide. Two separate frameworks, one testing programme can address both with scope design.

Structuring a PCI DSS Pentest in the UAE

A well-structured UAE PCI DSS penetration testing engagement typically:

Scope defined against CDE:

All systems storing, processing, or transmitting cardholder data
All systems connected to or impacting the CDE
All adjacency points between CDE and non-CDE networks

Test types:

External network penetration testing (internet-facing CDE components)
Internal network penetration testing (within CDE and CDE adjacency)
Application-layer testing (CDE applications)
Segmentation testing (CDE isolation validation)
Wireless testing (if wireless in scope)
Social engineering (for Level 1 service providers)

Deliverables:

Technical penetration testing report with CVSS scoring
Segmentation testing attestation
Remediation tracking and retest evidence
QSA-accepted format for RoC integration

Coordination:

With QSA firm (for formal audit context)
With CBUAE, VARA, DFSA, or NESA testing programme (for overlapping entities)
With internal compliance and audit functions

How pentest.ae Handles PCI DSS Engagements

We run PCI DSS penetration testing for UAE merchants, payment service providers, and entities with card rail components. Our reports are structured for QSA acceptance into RoC documentation, coordinate with your other UAE regulatory testing obligations, and include explicit segmentation testing evidence separated from application and infrastructure testing.

Our team includes researchers with experience testing in payment environments - meaning familiarity with Hardware Security Modules, key management ceremonies, tokenization platforms, and 3-D Secure implementations.

Penetration Testing UAE - full service overview
CBUAE Penetration Testing Guide - banking framework
Network Penetration Testing - segmentation testing
API Security Testing - payment API testing
Penetration Testing Cost in UAE - pricing guide

Common Questions

Frequently Asked Questions

Does PCI DSS v4.0 require penetration testing?

Yes. PCI DSS v4.0 Requirement 11.4 explicitly requires external and internal penetration testing annually and after significant changes. Requirement 11.4.3 requires application-layer penetration testing. Requirement 11.4.5 requires segmentation testing at least every 12 months (semi-annually for Level 1 service providers under v4.0). Testing must be by a qualified internal resource or external party with demonstrated independence from the cardholder data environment being tested.

Who in UAE is subject to PCI DSS penetration testing?

Any UAE organization storing, processing, or transmitting cardholder data: acquirers and payment service providers, merchant payment processors, card scheme participants, e-commerce and retail merchants accepting cards, hospitality operators, service providers handling cardholder data, call centres taking card-not-present payments, and fintechs with card rails. Scope ranges from SAQ for smaller merchants to full Report on Compliance (RoC) audits for Level 1 merchants and service providers.

What is segmentation testing and why is it important?

Segmentation testing validates that non-CDE (Cardholder Data Environment) networks cannot access the CDE. Under PCI DSS v4.0 it is annually required (semi-annually for Level 1 service providers). Proper segmentation testing requires attempts to reach CDE from every non-CDE network segment, both authenticated and unauthenticated attack paths, protocol-level testing not just port scanning, and validation of both ingress and egress controls. Most commonly failed requirement in UAE audits.

Can one testing firm do both CBUAE and PCI DSS testing?

Yes, and for UAE banks and payment institutions it is typically coordinated. PCI DSS focuses on CDE (Cardholder Data Environment). CBUAE Information Security covers the whole institution. Frameworks overlap but are not identical. A coordinated engagement scoped for both frameworks produces two separate reports (or one report with clearly separated sections) for different regulator audiences. We deliver both concurrently for UAE card-processing clients.

How much does PCI DSS penetration testing cost in UAE?

Depends on CDE size. Small CDE (focused card-processing application, minimal infrastructure) runs AED 60,000-120,000 for annual PCI-scope testing. Medium CDE (multiple applications, hybrid cloud, mid-size infrastructure) AED 150,000-300,000 including segmentation testing. Large CDE (Level 1 service providers, major banks) AED 400,000+ including semi-annual segmentation testing. Our engagements explicitly include segmentation testing evidence separated from application/infrastructure testing.

Find It Before They Do

Book a free 30-minute security discovery call with our AI Security experts in Dubai, UAE. We identify your highest-risk AI attack vectors - actionable findings in days.

Talk to an Expert