PCI-DSS V4
pen testing.

What requirement 11.4 says.

Requirement 11.4 of PCI-DSS v4.0 mandates a penetration testing methodology that is documented, follows industry-accepted approaches (NIST SP 800-115, OWASP, PTES), covers the entire CDE (Cardholder Data Environment) perimeter and critical systems, validates segmentation controls, and is performed by qualified personnel. It must run at least annually and after any significant change to the CDE.

The four sub-requirements.

• 11.4.1 — A documented penetration testing methodology aligned to industry standards
• 11.4.2 — External penetration tests, at least annually and after significant change
• 11.4.3 — Internal penetration tests, same frequency, including application-layer testing
• 11.4.4 — Vulnerabilities found are corrected and retested
• 11.4.5 — Segmentation testing for service providers and merchants that segment the CDE
• 11.4.6 — Additional segmentation testing every six months for service providers

What counts as a qualified tester.

The PCI SSC doesn’t prescribe specific certifications, but QSAs in 2026 widely expect at least one of: OSCP, GPEN, CREST CRT, CHECK, or equivalent. The tester must be organizationally independent from the systems under test — this is what makes third-party engagements the default for most organizations. Bringing testing in-house is allowed but requires explicit independence documentation.

Segmentation testing — the frequently missed bit.

Segmentation testing under 11.4.5/11.4.6 is the requirement that catches organizations out. It is not a network scan from inside the CDE. It is a deliberate test of every documented segmentation control, from every non-CDE network, attempting to reach the CDE. If you have 12 documented segmentation boundaries, your tester must validate all 12, document the test attempts, and capture evidence ready for your QSA.

Scope gotchas.

• Cloud accounts hosting any cardholder data flow are in scope
• Connected systems — jump hosts, AD servers reaching the CDE, monitoring tooling — are in scope
• Wireless networks within the CDE require dedicated wireless testing
• Web applications processing cardholder data are in scope at the application layer (not just network)
• Application changes — even minor refactors of payment-handling code — trigger an interim re-test

What your QSA wants to see.

Beyond the pen test report itself, expect to provide:

• The documented methodology under 11.4.1
• Tester qualifications (CV, certifications, training)
• Independence attestation
• Scoping document showing all CDE components, connected systems, and segmentation boundaries
• Retest evidence under 11.4.4
• Segmentation testing report with per-control evidence

Choosing a vendor.

Cheap PCI pen tests are usually scanner output rebranded as a report. A QSA who has seen a thousand reports can spot one in 30 seconds. Look for:

• Stated methodology that goes beyond Nessus + screenshots
• Sample report with confirmed proof-of-concept exploitation
• Specific qualified personnel named on the engagement
• Segmentation testing explicitly included — not a separate up-sell
• Free retest within the QSA cycle (usually 90 days)

Where we fit in.

Our network penetration testing and web application penetration testing packages are scoped to satisfy 11.4.2, 11.4.3, and 11.4.5 in a single engagement. Every report maps findings to the relevant PCI requirements and ships with a segmentation testing appendix ready for your QSA.