Home / Industry-Aligned Testing / PCI DSS
PCI DSS Penetration Testing
PCI DSS Penetration Testing
Internal, external and segmentation penetration testing that meets PCI DSS v4.0 Requirement 11.4, validating the controls that protect your cardholder data environment and providing the evidence your QSA needs.
Overview
Testing that meets Requirement 11.4
PCI DSS v4.0 Requirement 11.4 mandates internal and external penetration testing at least annually and after significant change, following a documented, industry-accepted methodology, with exploitable findings corrected and retested.
Where segmentation is used to reduce scope, Requirement 11.4.5 requires testing to confirm those controls effectively isolate the cardholder data environment (CDE). We cover both the network and application layers and deliver a report ready for your QSA or self-assessment.
What you'll receive
- ✓Methodology: a documented test plan following an industry-accepted methodology (11.4.1)
- ✓Network testing: internal and external penetration test results (11.4.2 / 11.4.3)
- ✓Application testing: CDE-connected applications assessed against Requirement 6 threats
- ✓Segmentation testing: validation that controls isolate the CDE (11.4.5)
- ✓Reporting: an executive summary and QSA-ready technical report with risk ratings
- ✓Correction & retest: exploitable findings re-tested to confirm remediation (11.4.4)
Why It Matters
How testing supports PCI DSS
Requirement 11.4 is explicit about penetration testing. Our assessments are built to satisfy each sub-requirement and stand up to QSA scrutiny.
Meets Requirement 11.4
Internal, external and application-layer testing following a documented, industry-accepted methodology.
Segmentation validation
Confirms the controls isolating your CDE are effective, as required by 11.4.5 / 11.4.6.
Full-stack coverage
Both network-layer and application-layer testing, mapped to the threats identified under Requirement 6.
QSA-ready evidence
Reporting and retest results structured so your QSA or SAQ can use them without rework.
What We Test
Testing aligned to PCI DSS Requirement 11.4
External network penetration testing
The perimeter of the cardholder data environment (11.4.3).
Internal network penetration testing
Testing from within trusted networks (11.4.2).
Segmentation testing
Validating isolation of the CDE (11.4.5, 11.4.6).
Application-layer testing
CDE-connected applications against Requirement 6 threats (11.4.2).
Authentication & access control
MFA and least-privilege enforcement (Requirements 7 & 8).
Secure configuration review
Hardening and removal of default credentials (Requirement 2).
Cardholder data exposure review
Storage and transmission of account data (Requirements 3 & 4).
Encryption in transit
TLS across all CDE communication channels (Requirement 4).
Vulnerability management validation
Patching and risk-ranking effectiveness (Requirements 6.3, 11.3).
Logging & monitoring
Audit trails across the cardholder data environment (Requirement 10).
Correction & retest
Exploitable and high-risk findings corrected and re-tested (11.4.4).
QSA-ready evidence
Reporting to a documented, industry-accepted methodology (11.4.1).
Applicable Pentest Phases
The pentest phases behind a PCI DSS engagement
A Requirement 11.4 engagement is built from the assessments below, scoped to your cardholder data environment. Each phase links to the full service.
Infrastructure Testing
Internal and external network testing of the CDE, including segmentation validation (11.4.2 / 11.4.3 / 11.4.5).
Web Application Testing
Application-layer testing of payment pages and CDE-connected apps against Requirement 6 threats.
API Penetration Testing
Testing of payment and integration APIs that touch cardholder data.
Cloud Security Review
Configuration review where your CDE runs in AWS, Azure or Google Cloud.
Secure Code Review
Review of bespoke payment software, supporting Requirement 6.2 secure development.
Server & End-User Device Review
Hardening review of CDE systems, supporting Requirement 2 secure configurations.
FAQ
Frequently asked questions
What does PCI DSS Requirement 11.4 require?
It requires internal and external penetration testing at least once every 12 months and after any significant infrastructure or application change, using a documented, industry-accepted methodology, with exploitable and high-risk findings corrected and retested.
What is segmentation penetration testing?
If you use network segmentation to reduce PCI scope, Requirement 11.4.5 requires testing to confirm those segmentation controls actually isolate the cardholder data environment. Merchants test at least annually; service providers must test segmentation at least every six months.
How often is PCI DSS penetration testing required?
At least every 12 months and after significant change. Service providers additionally test segmentation controls at least every six months.
Do you cover both the network and application layers?
Yes. Requirements 11.4.2 and 11.4.3 require internal and external testing at the network layer, and the application layer must be tested against the threats identified under Requirement 6. Our assessments cover both.
Will you retest to confirm remediation?
Yes. Requirement 11.4.4 requires that exploitable and high-risk vulnerabilities are corrected and that testing is repeated to verify the fixes. A retest is included in our engagement as standard.
Need a PCI DSS penetration test?
Talk to our consultants about scoping internal, external and segmentation testing for Requirement 11.4, or get an instant quote.