PCI DSS Penetration Testing

PCI DSS Penetration Testing

Internal, external and segmentation penetration testing that meets PCI DSS v4.0 Requirement 11.4, validating the controls that protect your cardholder data environment and providing the evidence your QSA needs.

Overview

Testing that meets Requirement 11.4

PCI DSS v4.0 Requirement 11.4 mandates internal and external penetration testing at least annually and after significant change, following a documented, industry-accepted methodology, with exploitable findings corrected and retested.

Where segmentation is used to reduce scope, Requirement 11.4.5 requires testing to confirm those controls effectively isolate the cardholder data environment (CDE). We cover both the network and application layers and deliver a report ready for your QSA or self-assessment.

What you'll receive

  • Methodology: a documented test plan following an industry-accepted methodology (11.4.1)
  • Network testing: internal and external penetration test results (11.4.2 / 11.4.3)
  • Application testing: CDE-connected applications assessed against Requirement 6 threats
  • Segmentation testing: validation that controls isolate the CDE (11.4.5)
  • Reporting: an executive summary and QSA-ready technical report with risk ratings
  • Correction & retest: exploitable findings re-tested to confirm remediation (11.4.4)

Why It Matters

How testing supports PCI DSS

Requirement 11.4 is explicit about penetration testing. Our assessments are built to satisfy each sub-requirement and stand up to QSA scrutiny.

Meets Requirement 11.4

Internal, external and application-layer testing following a documented, industry-accepted methodology.

Segmentation validation

Confirms the controls isolating your CDE are effective, as required by 11.4.5 / 11.4.6.

Full-stack coverage

Both network-layer and application-layer testing, mapped to the threats identified under Requirement 6.

QSA-ready evidence

Reporting and retest results structured so your QSA or SAQ can use them without rework.

What We Test

Testing aligned to PCI DSS Requirement 11.4

01

External network penetration testing

The perimeter of the cardholder data environment (11.4.3).

02

Internal network penetration testing

Testing from within trusted networks (11.4.2).

03

Segmentation testing

Validating isolation of the CDE (11.4.5, 11.4.6).

04

Application-layer testing

CDE-connected applications against Requirement 6 threats (11.4.2).

05

Authentication & access control

MFA and least-privilege enforcement (Requirements 7 & 8).

06

Secure configuration review

Hardening and removal of default credentials (Requirement 2).

07

Cardholder data exposure review

Storage and transmission of account data (Requirements 3 & 4).

08

Encryption in transit

TLS across all CDE communication channels (Requirement 4).

09

Vulnerability management validation

Patching and risk-ranking effectiveness (Requirements 6.3, 11.3).

10

Logging & monitoring

Audit trails across the cardholder data environment (Requirement 10).

11

Correction & retest

Exploitable and high-risk findings corrected and re-tested (11.4.4).

12

QSA-ready evidence

Reporting to a documented, industry-accepted methodology (11.4.1).

Applicable Pentest Phases

The pentest phases behind a PCI DSS engagement

A Requirement 11.4 engagement is built from the assessments below, scoped to your cardholder data environment. Each phase links to the full service.

Infrastructure Testing

Internal and external network testing of the CDE, including segmentation validation (11.4.2 / 11.4.3 / 11.4.5).

Web Application Testing

Application-layer testing of payment pages and CDE-connected apps against Requirement 6 threats.

API Penetration Testing

Testing of payment and integration APIs that touch cardholder data.

Cloud Security Review

Configuration review where your CDE runs in AWS, Azure or Google Cloud.

Secure Code Review

Review of bespoke payment software, supporting Requirement 6.2 secure development.

Server & End-User Device Review

Hardening review of CDE systems, supporting Requirement 2 secure configurations.

FAQ

Frequently asked questions

What does PCI DSS Requirement 11.4 require?

It requires internal and external penetration testing at least once every 12 months and after any significant infrastructure or application change, using a documented, industry-accepted methodology, with exploitable and high-risk findings corrected and retested.

What is segmentation penetration testing?

If you use network segmentation to reduce PCI scope, Requirement 11.4.5 requires testing to confirm those segmentation controls actually isolate the cardholder data environment. Merchants test at least annually; service providers must test segmentation at least every six months.

How often is PCI DSS penetration testing required?

At least every 12 months and after significant change. Service providers additionally test segmentation controls at least every six months.

Do you cover both the network and application layers?

Yes. Requirements 11.4.2 and 11.4.3 require internal and external testing at the network layer, and the application layer must be tested against the threats identified under Requirement 6. Our assessments cover both.

Will you retest to confirm remediation?

Yes. Requirement 11.4.4 requires that exploitable and high-risk vulnerabilities are corrected and that testing is repeated to verify the fixes. A retest is included in our engagement as standard.

Need a PCI DSS penetration test?

Talk to our consultants about scoping internal, external and segmentation testing for Requirement 11.4, or get an instant quote.