How Penetration Testing Helps Define PCI DSS Scope in Large Retail Environments

When Trausta, a PCI QSA company, approaches PCI DSS assessments for large retailers, they often bring in Tenendo to handle the technical side of the risk: penetration testing and security validation for complex point-of-sale (POS) ecosystems. Our role is clear—provide objective, evidence-based assurance that specific systems, like electronic cash registers (ECRs), do not process or store cardholder data (CHD), and therefore may be safely placed out of PCI DSS scope.

In retail environments with hundreds or thousands of POS terminals and ECRs, scoping decisions can drastically affect effort and cost. That’s where our technical testing becomes crucial.

The Real Problem with ECRs

We’ve seen two flawed approaches commonly taken during PCI DSS scoping:

• Over-assumption: Some assessments assume that ECRs are always out of scope, relying on the idea that POS terminals never send unencrypted PANs to the ECRs. This is rarely verified and poses real risk.
• Overkill: Others require every single ECR to be treated as a PCI in-scope system—meaning full hardening, logging, patching, and even testing. In a high-scale retail environment, this approach is unmanageable.

Trausta engages Tenendo to support a hybrid approach. We provide the deep technical validation necessary to justify scoping decisions—by emulating attacker scenarios, reverse-engineering interfaces, and confirming that ECRs never handle CHD.

Our Testing Role in Trausta’s Hybrid Approach

Trausta handles the compliance and QSA aspects. We handle the offensive security work. Together, we ensure that scope decisions are based on facts—not assumptions or fear.

Tenendo’s role includes:

• Testing representative POS–ECR configurations
• Intercepting and analyzing data flows between:
  • POS terminals and Terminal Management Servers (TMS)
  • POS terminals and payment authorization systems
  • POS terminals and ECRs
• Verifying through active and passive testing that no PAN or sensitive authentication data is exposed or accessible by the ECR

When we can confidently demonstrate that the ECR does not process or store cardholder data under any scenario—intentional or adversarial—we help Trausta justify excluding it from PCI DSS scope.

Our Testing Methodology

In accordance with the generic penetration testing methodology, Tenendo starts any test by defining the attack surface. In the case for POS terminals, the following scenarios are considered:

• Attacker positioned adjacent to the terminal, with network access to the services on the POS terminal
• A MitM attacker between the terminal and the external payment processing/terminal management services
• A MitM attacker positioned between the cash register and the POS terminal
• An attacker with full control of the cash register application

All tests could either be conducted in the lab (tailored to the typical merchant setup), or in the customer-provided environment (either a separate testing one or a live merchant setup).

Network-adjacent testing is similar to penetration testing of any single isolated network host, consisting of network service enumeration, limited fuzzing, and vulnerability discovery and exploitation. It represents the most common scenario of an attacker gaining just the network access to the segment where the POS resides, without any prior knowledge or authentication credentials.

Both types of MitM testing are more involved. The penetration testing team analyzes the traffic intercepts carefully not only to confirm that the encryption is present for sensitive data all around, but to discover any vulnerabilities that may allow access to the terminal itself, business logic tampering (e.g. forcing the terminal to issue cashback requests), and breaking the integrity of firmware updates. Both protocol-aware attacks (such as fuzzing or tampering with request/response parameters) and generic traffic replay and analysis are used to ensure a MitM position for an attacker would not lead to compromise of sensitive payment data.

The most complex type of testing requires full control of the application communicating with the POS. By reverse-engineering the communication methods and protocols, the penetration testing team is able to comprehensively fuzz the POS terminal to look for both lower-level vulnerabilities in input processing and for higher-level access control and business logic issues. Despite taking up a significant amount of time compared to the previous stages, this step is important, as compromise of cashier workstations is relatively common and should not lead to access to sensitive payment or customer data.

Lab Setup

If the testing is to be performed in Tenendo’s own lab, the penetration testing team will set up the following:

This configuration allows conducting all scenarios listed above in a fully controlled environment and can even be virtualized and shared with the customer afterwards for vulnerability reproduction.

Why This Matters

PCI DSS compliance isn’t just about checkboxes—it’s about understanding risk and proving security. By partnering with Trausta, we help merchants make scoping decisions that are defensible, scalable, and grounded in real technical validation.