Performing wireless network sniffing in areas where cardholder data is transmitted requires special consideration. According to PCI DSS Requirement 4.1, strong encryption must be used during the transmission of cardholder data over open, public networks to safeguard transmission security. A penetration tester must ensure that they have permission and the proper segmentation checks in place so that they do not inadvertently capture or decrypt cardholder data, which would violate PCI DSS. Social engineering employees to reveal sensitive information isn't directly restricted by PCI DSS during a pen test; it's an accepted testing technique if agreed upon in the scope. Inserting a hardware keylogger into point-of-sale systems is not against PCI DSS as long as it's permitted and controlled as part of the pen test, and there isn't a requirement for notifying the card schemes in advance of a penetration test.