PCI DSS 4.0 penetration testing for Requirement 11.4.

What Requirement 11.4 expects

PCI DSS 4.0 Requirement 11.4 defines a penetration testing methodology and requires both application-layer and network-layer testing, performed from inside and outside the cardholder data environment.

For organizations that use segmentation to reduce scope, Requirement 11.4.5 requires testing that segmentation controls are effective and isolating the cardholder data environment.

What you receive

• External and internal penetration testing aligned to the PCI DSS 4.0 methodology.
• Segmentation testing to confirm the cardholder data environment is isolated.
• Clear scoping of the cardholder data environment and connected systems.
• A CVSS-scored report with proof of concept and remediation, plus a free 90-day retest.

Built to satisfy your QSA

Our reports document methodology, scope, findings, and remediation in the form a Qualified Security Assessor expects for Requirement 11.4 evidence.

See our full penetration testing services for the underlying methodology.

Frequently asked questions

How often does PCI DSS require a penetration test?

PCI DSS 4.0 Requirement 11.4 requires internal and external penetration testing at least once every 12 months and after any significant change to the environment.

What is segmentation penetration testing?

If you use network segmentation to keep systems out of the cardholder data environment, Requirement 11.4.5 requires testing to confirm those segmentation controls actually isolate the environment as intended.

Does this cover both application and network layer testing?

Yes. Requirement 11.4 calls for both application-layer and network-layer testing, from external and internal positions, and our engagements cover all of it.