PCI DSS requirements extend to general good practices in security, including password management and log monitoring as well as penetration testing. Organisations required to submit evidence of an annual penetration test include merchants, service providers and ecommerce sites - anyone handling customer data.
The certification requires the entirety of the cardholder data environment (CDE) perimeter to be tested, both internal and external, including any applications developed specifically by or for the organisation. This test must be performed at least annually, and after any significant changes, such as patches, upgrades or modifications.