When considering application penetration testing for PCI, any software written by your organisation or written specifically for it,
Krypsys
PCI Penetration Testing – How to Define The Scope
Cardholder Data Environment
The PCI DSS defines the cardholder data environment (CDE) as follows: