Your QSA flags a finding
Missing or stale evidence under Requirement 11.4 results in a QSA finding that must be remediated before your Report on Compliance closes.
PCI DSS v4.0.1 requires a current pentest. Your QSA needs it before the assessment closes.
External, internal, and segmentation testing aligned to PCI DSS v4.0.1 Requirement 11.4 — scoped to your cardholder data environment with a report your QSA accepts on first read.
What is at stake
A gap in pentest evidence can stall your QSA assessment — or worse.
Segmentation gaps go undetected
Without segmentation testing, your QSA cannot confirm the CDE boundary is real — expanding your full scope and your audit cost.
Assessment calendar slips
A pentest that misses CDE scope or lacks the external/internal split has to be re-run. That can push your assessment window by weeks.
How we help — what we cover
Every sub-requirement of 11.4, addressed in one engagement.
We scope testing to satisfy each part of Requirement 11.4 so your QSA has complete evidence — not a partial answer that requires follow-up work.
11.4.1 — Defined methodology
A documented penetration-testing methodology covering industry-accepted approaches, CDE perimeter and critical systems, and validation of segmentation controls.
11.4.2 — Internal pentest at least annually
Internal penetration testing at least annually and after any significant change. Exploitable vulnerabilities are corrected and the affected scope retested.
11.4.3 — External pentest at least annually
External penetration testing at least annually and after any significant change, covering the CDE perimeter from an internet-facing perspective.
11.4.5 — Segmentation testing
Validation that segmentation controls isolate the CDE from out-of-scope networks. Required annually for merchants; at least every six months for service providers under 11.4.6.
11.4.7 — Multi-tenant providers
Multi-tenant service providers must support customers in performing external penetration tests on the customer-facing surfaces of the service.
CDE scoping
Findings scoped to systems that store, process, or transmit cardholder data, plus connected and security-impacting systems. Out-of-scope claims validated through segmentation testing.
How an engagement works
Four phases, every PCI DSS engagement.
- 01
CDE scoping
We confirm CDE boundary, connected systems, and segmentation claims with your QSA and technical team.
- 02
External + internal testing
External pentest of the CDE perimeter (11.4.3) and internal pentest of CDE and connected systems (11.4.2), aligned to 11.4.1 methodology.
- 03
Segmentation testing
Validation that segmentation isolates the CDE per 11.4.5; every six months for service providers per 11.4.6.
- 04
Retest of exploitable findings
Per 11.4.4, exploitable vulnerabilities are corrected and retested. The report reflects post-fix state.
QSA assessment coming up?
A quick scoping call locks in CDE scope, testing split, and a date that fits your assessment calendar.
Get a straight answer Control mapping in the report
How findings tie to PCI DSS requirements.
Every finding is tagged to the specific v4.0.1 requirements it touches, with explicit notes on segmentation and CDE scope where relevant.
| Example finding | Mapped to |
|---|---|
| Injection vulnerability in a CDE-adjacent application | Req 6.2.4 — secure software engineering; Req 11.4 — penetration testing |
| Default credentials on a system in scope | Req 2.2 — secure configuration |
| Cardholder data found in application logs | Req 3.2 — minimize stored account data; Req 3.5 — protect stored PAN |
| Cleartext PAN transmission on an internal segment | Req 4.2 — strong cryptography during transmission |
| Inadequate segmentation between CDE and corporate network | Req 1.3 / 1.4 — network security controls; Req 11.4.5 — segmentation testing |
| Administrative console reachable without MFA | Req 8.4 — multi-factor authentication for CDE access |
Each finding also carries severity, CVSS, reproduction steps, evidence, and a paste-ready remediation. Per Req 11.4.4, exploitable findings are retested after fixes and the report reissued.
Adjacent engagements
PCI pentests pair with these.
Compliance pentest index →
See coverage across SOC 2, ISO 27001, PCI DSS, HIPAA, and GLBA in one place.
Network and cloud testing →
External and internal network testing required by 11.4.2 and 11.4.3.
Authenticated testing →
Role-matrix coverage for CDE applications and connected systems.
Web application testing →
The customer-facing payment surface most commonly in scope.
Further reading
Background from our team.
FAQ
PCI DSS pentest — common questions
What changed in PCI DSS v4.0.1?
Version 4.0.1 (released June 2024) clarifies and amends v4.0. The future-dated v4 requirements had a transition deadline of 31 March 2025, so by 2026 your QSA expects full compliance with Requirement 11.4 and the segmentation testing rules in 11.4.5–11.4.6.
Do we need both internal and external pentests?
Yes. Requirement 11.4.2 covers internal and 11.4.3 covers external — both annually and after any significant change. They are different tests with different evidence requirements.
How often do service providers run segmentation testing?
Under 11.4.6, multi-tenant service providers validate segmentation at least every six months. Merchants validate annually under 11.4.5. The scoping call confirms which applies and sequences the cadence into your assessment calendar.
What is the customized approach and does it affect testing?
The customized approach lets entities meet a requirement through alternative controls subject to QSA validation. It does not change the underlying penetration-testing expectation, but scope may include validating that customized controls achieve the stated objective.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.