Apart from a bachelor's in computer science, IT, cybersecurity, computer engineering, or information assurance, a good PCI DSS pentester can be expected to have at least some of the following pentesting certifications. Not one of these certifications is mandatory, but most of them indicate an in-depth understanding of not just pentesting but also of the larger universe of ethical security hacking and its practical applications in real-life scenarios:
Offensive Security Certified Professional (OSCP) is offered by Offensive Security Services LLC, USA. This is a difficult and practice-oriented certification that requires candidates to successfully penetrate live machines in a lab environment.
Certified Ethical Hacker (CEH) is from the International Council of Electronic Commerce Consultants (EC-Council) based in Albuquerque, New Mexico. CEH requires candidates to demonstrate the use of tools used by cybercriminals, of course, in a legitimate manner.
Global Information Assurance Certifications (GIAC) are provided by Maryland-based SANS Institute. Certifications like GIAC Certified Web Application Penetration Tester and GIAC Exploit Researcher and Advanced Penetration Tester require the performance of real-world testing tasks involving web application exploits in systems and networks.
CREST Penetration Testing Certifications are from the Council of Registered Ethical Security Testers (CREST) based in Vancouver, Canada / Solihull, UK. In this examination, candidates are required to identify known vulnerabilities across networks, applications, and databases.
The UK Government's CESG CHECK IT Health Check Scheme (CHECK) requires candidates to legitimately mimic the activities of hackers and access critical Internet-facing systems. Evading intrusion-detection systems as well as vulnerability detection and exploitation are key learning blocks of this program.