PCI-DSS penetration testing.
Annual internal and external penetration testing for organizations that store, process, or transmit cardholder data — scoped to Requirement 11.4 of PCI-DSS 4.0.1.
What PCI-DSS actually requires.
Under PCI-DSS 4.0.1 (mandatory since March 2025), penetration testing lives under Requirement 11.4 — moved from the old 11.3 numbering in earlier versions of the standard, so don't be surprised if older documentation still references 11.3.
The core requirement: an annual external penetration test and an annual internal penetration test, covering systems that interact with or could affect your cardholder data environment (CDE). Testing is also required after any significant infrastructure or application change — either before it goes into production, or promptly after, with a documented risk justification if it can't happen beforehand.
If you're a service provider rather than a merchant, there's an additional requirement: segmentation testing every six months, and again after any change to the segmentation controls that isolate your CDE from the rest of your network.
How this maps to what we do.
External & Internal Testing
Both halves of Requirement 11.4 — testing your internet-facing systems and your internal network, scoped to what actually touches the CDE.
Segmentation Testing
For service providers: verifying your segmentation controls actually isolate the CDE, on the twice-yearly cadence PCI-DSS requires.
Retest After Remediation
Findings get retested once fixed — so the report you hand your QSA reflects what's actually true, not what was true when we started.
Assessment window coming up?
Tell us your CDE scope and your QSA's timeline — we'll fit the testing to it.