My QSA is pressuring me to have a penetration test performed; I am not opposed to having this test at all. It’s more of a formality issue on deciding when to draw the line. Penetration testing is addressed in 11.3. There is no 11.3 in SAQ C. When I bring this point up I am told I am correct however Part 3a states that I must maintain full PCI DSS Compliance at all times. Please understand we are a mid size company (40 stores) using Shift 4. We have no CHD on any of our systems. We are 99% compliant with passing external scans. We lack only a few written policies to be 100 %. A large investment of time and money has been spent to get us to this point. The fee for this test is over a 1000.00. I feel like I am being sold undercoating on my new car. In all fairness I must also add that I am on the border of SAQ D since our stores are connected to the corporate via a VPN. I have instituted a reasonable amount of compensating controls to satisfy my QSA, and hopefully the powers to be, to qualify for a SAQ C.

Thanks in advance

There is a change in scanning and penetration testing requirements under PCI DSS v1.2. Under v1.2, external AND internal vulnerability scanning is required at least on a quarterly basis or whenever significant changes to the network or applications occur for all networks and applications that process, store or transmit cardholder data (CHD). Also under v1.2, external AND internal penetration testing of all applications that process, store or transmit CHD is also required at least annually and whenever significant changes occur to the network and/or applications.

However, based on your post, I'm concerned about your comment stating that you are borderline SAQ D. There is no such thing as borderline, you either are or you are not. You need to explain your situation to your acquiring bank and/or processor as they are the only ones that can determine which SAQ your organization should fill out. However, based on the limited amount of information you have provided in your post, I would classify you as needing to file SAQ D, not SAQ C. SAQ C is reserved for those merchants who have integrated POS but no connectivity to anything but the Internet for the transmittal of CHD to/from your processor/acquirer. In your post, you say that your retail locations have a VPN connection back to Corporate which would not allow you to use SAQ C.