Home / Compliance / PCI-DSS Penetration Testing

PCI-DSS Penetration Testing -Requirement 11.3

PCI-DSS explicitly requires annual penetration testing. We deliver Requirement 11.3 compliant assessments covering your cardholder data environment, payment applications, network segmentation, and external perimeter.

Book a Consultation View Service Details

Framework Overview

Understanding the compliance landscape.

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements for any organization that stores, processes, or transmits cardholder data. Maintained by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB), PCI-DSS applies to merchants, payment processors, acquirers, and service providers. Version 4.0 (effective March 2024) introduced significant changes including expanded multi-factor authentication requirements, targeted risk analyses, and new e-commerce and phishing protections. Non-compliance can result in fines of $5,000 to $100,000 per month from card brands and potential loss of the ability to process payments.

Penetration Testing Requirements

What the framework requires and what auditors expect.

The Requirement

PCI-DSS Requirement 11.3 (v4.0: Requirement 11.4) explicitly mandates penetration testing at least annually and after any significant change to the cardholder data environment. The test must cover both internal and external networks, must use an industry-accepted methodology, and must specifically validate network segmentation controls.

What Auditors Look For

  • Annual penetration testing covering the entire cardholder data environment (CDE)
  • Both internal and external network penetration testing
  • Application-layer testing including all payment applications
  • Network segmentation validation confirming CDE isolation
  • Testing after any significant infrastructure or application changes
  • Remediation of exploitable vulnerabilities and retesting confirmation

Controls We Validate

11.4.1 -External penetration testing methodology 11.4.2 -Internal penetration testing methodology 11.4.3 -Exploitable vulnerabilities identified and corrected 11.4.4 -Segmentation testing if segmentation is used to reduce CDE scope 11.4.5 -Penetration testing methodology defined and documented 11.4.6 -Testing after significant changes to the CDE

How Our Testing Maps to the Framework

Direct alignment between our methodology and compliance requirements.

Our PCI-DSS penetration testing follows PTES (Penetration Testing Execution Standard) and OWASP methodologies as required by the standard. We segment our testing into external network testing, internal network testing, application-layer testing, and segmentation validation -each documented separately for QSA review. For segmentation testing, we verify that non-CDE systems cannot reach CDE systems through any path, including secondary network connections, shared services, and VLAN misconfigurations.

Pricing: PCI-DSS penetration testing engagements start at $10,000 and scale based on CDE size, number of payment applications, and network complexity.

Audit Partner Ecosystem

We work with PCI Qualified Security Assessors (QSAs) to ensure our testing scope and methodology align with your Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) requirements. Our report format is designed for QSA review, with findings mapped directly to PCI-DSS requirements.

Frequently Asked Questions

Common questions about PCI-DSS Penetration Testing.

How often does PCI-DSS require penetration testing?
At least annually, and after any significant change to your cardholder data environment. "Significant change" includes new network segments, major application updates, infrastructure migrations, and new payment channels. Your QSA will determine what qualifies as a significant change in your environment.
Does PCI-DSS require both internal and external penetration testing?
Yes. Requirement 11.4.1 requires external testing and 11.4.2 requires internal testing. Both must cover network-layer and application-layer vulnerabilities. Internal testing simulates a threat actor who has gained access to the internal network -this is different from an internal vulnerability scan.
What is segmentation testing and do we need it?
Segmentation testing validates that your cardholder data environment (CDE) is properly isolated from the rest of your network. If you use network segmentation to reduce your PCI scope, Requirement 11.4.4 requires that segmentation controls be tested at least annually and after any changes to segmentation controls. This is separate from -and in addition to -your regular penetration test.
Will your report satisfy our QSA?
Yes. Our PCI-DSS pentest reports include all elements required by the standard: scope definition covering the CDE, methodology description, internal and external testing results, segmentation validation results, findings with severity ratings, and remediation evidence. We work with QSAs regularly and our format is designed for RoC submission.
What changed in PCI-DSS 4.0 for penetration testing?
PCI-DSS 4.0 renumbered the penetration testing requirement from 11.3 to 11.4 and added requirement 11.4.6 (testing after significant changes). It also introduced a customized approach option that allows organizations to define alternative controls, but the penetration testing requirement itself remains mandatory and cannot be substituted with a compensating control.

Ready for Your PCI-DSS Penetration Test?

Book a consultation to discuss your compliance timeline, testing scope, and how we can coordinate with your audit team.

Book a Consultation
Lory waving

Hi, I'm Lory! Need help finding the right service? Click to chat!