PCI DSS Penetration Testing Services in the UAE
If your business stores, processes, or transmits cardholder data in the UAE, PCI DSS doesn’t leave penetration testing optional; Requirement 11.4 makes it a named, recurring obligation. Nathan Labs delivers PCI DSS-scoped penetration testing for UAE merchants and service providers, producing QSA-acceptable reports that prove your cardholder data environment holds up against real attacks, not just a passing vulnerability scan.F
What Is PCI DSS Penetration Testing?
The Payment Card Industry Data Security Standard (PCI DSS) is the global security framework created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data. Any organization that stores, processes, or transmits card data, such as merchants, payment gateways, e-commerce platforms, hospitality groups, and service providers, falls under its scope.
Under PCI DSS v4.0.1, penetration testing sits in Requirement 11.4 (moved from 11.3 under the older v3.2.1 standard, which is why older reports still reference 11.3). Requirement 11.4 calls for regular, methodology-driven testing of the systems, applications, networks, APIs, and segmentation controls that make up or support your Cardholder Data Environment (CDE), testing that goes beyond automated scanning to actively validate whether identified weaknesses are truly exploitable.
Don’t confuse this with vulnerability scanning. A scan identifies known weaknesses through automated tools; penetration testing is manual and adversarial, chaining weaknesses together to show what an attacker could actually achieve. PCI DSS requires both, and a passing ASV scan is never accepted as a substitute for a penetration test.
PCI DSS Penetration Testing Requirements at a Glance
- External penetration testing: At least annually and after any significant change to the CDE or connected systems
- Internal penetration testing: Validates that internal systems and network segments protecting the CDE resist attacks from within.
- Segmentation testing: At least annually (every six months for service providers) if segmentation is used to reduce PCI scope
- Quarterly ASV scans: External vulnerability scans by an approved scanning vendor, run until a passing result each quarter.
- Recognized methodology: NIST SP 800-115, OWASP, PTES, or OSSTMM
- Retesting: Required to confirm remediation before a clean report is issued
Your validation path depends on your PCI DSS level, determined by annual transaction volume. Level 1 merchants and most service providers require a full QSA-led assessment and formal Report on Compliance (ROC); lower levels typically use a Self-Assessment Questionnaire (SAQ) alongside required scanning and testing.
Who Needs PCI DSS Penetration Testing in the UAE?
- E-commerce platforms and online retailers accepting card payments
- Hospitality groups, hotels, and restaurant chains processing card transactions
- Payment gateways, processors, and payment service providers
- Banks and financial institutions issuing or acquiring card transactions
- Any business outsourcing payment processing but still holding shared PCI responsibility
- SaaS platforms and marketplaces that store, process, or transmit cardholder data on behalf of merchants

In the UAE’s fast-growing digital payments market, banks and acquirers increasingly enforce PCI DSS as a condition of continued card acceptance, making non-compliance a direct threat to your ability to process payments.
How Nathan Labs Delivers PCI DSS Penetration Testing
- CDE scoping: We map your full Cardholder Data Environment, payment applications, databases, network segments, APIs, and third-party integrations so testing reflects everything Requirement 11.4 expects to be in scope.
- External and internal penetration testing: We test the external attack surface and internal network paths to your CDE, simulating how an attacker outside your perimeter, or already inside your network, could reach cardholder data.
- Segmentation testing: Where segmentation reduces PCI scope, we validate the isolation actually holds, confirming non-CDE systems cannot reach payment systems at the cycle your merchant or service provider level requires.
- Application and API testing: We test payment applications and APIs for authentication flaws, injection vulnerabilities, and business logic issues automated scans routinely miss.
- Methodology-aligned, QSA-ready testing: Engagements follow recognized frameworks, NIST SP 800-115, OWASP, and PTES, and every report documents scope, methodology, findings, business impact, and remediation guidance in the format your QSA needs for your ROC or SAQ.
- Retesting for clean closure: We retest remediated findings and issue a clean report once everything is fixed, the evidence your acquiring bank and card brands ultimately require.
Why UAE Businesses Choose Nathan Labs for PCI DSS Penetration Testing
- PCI-specific scoping: Testing built around CDE boundaries and Requirement 11.4, not a generic infrastructure test relabeled for compliance.
- Segmentation expertise: Dedicated testing to validate scope-reduction claims that many providers skip or treat superficially.
- QSA-ready documentation: Reports structured for direct use in your ROC or SAQ, reducing back-and-forth during an audit.
- Retesting included: Every finding tracked to a clean, closed report.
- UAE-based delivery: Direct experience with the acquiring banks, card brands, and QSA expectations active in the UAE market.
Frequently Asked Questions
Yes. PCI DSS Requirement 11.4 explicitly requires internal and external penetration testing of the CDE, unlike some UAE frameworks where testing is implied rather than named outright.
At least annually, and after any significant change to the CDE or the systems and networks that support it. Service providers face additional segmentation testing every six months.
No. A passing ASV scan demonstrates the absence of known vulnerabilities but does not satisfy the manual, exploitation-based testing requirement 11.4 requires.
Yes. If your CDE spans AWS, Azure, or hybrid infrastructure, testing must cover those environments along with any third-party integrations touching cardholder data.
Scope, methodology, detailed findings with business impact, remediation recommendations, and retest results are what your QSA needs to accept as compliance evidence.


