PCI DSS v4.0 Requirement 11.4 is the headline penetration testing requirement covering internal, external and segmentation testing. CyberFortify's reports are explicitly mapped to 11.4.1 - 11.4.7 so QSA engagement is straightforward.
// 01 What PCI DSS v4.0 actually is
The Payment Card Industry Data Security Standard, mandated globally by the major card brands (Visa, Mastercard, American Express, Discover, JCB) for any organisation that stores, processes or transmits cardholder data.
Twelve top-level requirements covering network security, data protection, vulnerability management, access control, monitoring and policy. Requirement 11.4 is the penetration testing requirement - the headline change in v4.0.
PCI DSS v4.0 brought significant penetration testing changes from v3.2.1, including stricter segmentation testing requirements, explicit obligations on service providers, and tighter expectations on what constitutes "industry-accepted" methodology. CyberFortify's engagements are explicitly designed to satisfy the v4.0 expectations.
// 02 Requirement 11.4 sub-requirements
Methodology defined
"A penetration testing methodology is defined, documented and implemented." CyberFortify's grounded in PTES and aligned with NIST 800-115 - satisfies this directly.
Internal penetration testing
"Internal penetration testing is performed... at least once every 12 months and after any significant infrastructure or application upgrade or change." Our internal network pen testing satisfies this.
External penetration testing
"External penetration testing is performed... at least once every 12 months and after any significant infrastructure or application upgrade or change." Our external network and web application pen testing satisfies this.
Exploitable vulnerabilities corrected
"Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected." CyberFortify's free remediation retest produces the explicit evidence this requirement asks for.
Segmentation testing
"If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls." Our internal pen testing includes segmentation validation.
Service-provider segmentation (6mo)
For service providers using segmentation: testing every 6 months and after changes. More frequent than the 11.4.5 baseline.
Multi-tenant penetration testing
Multi-tenant service providers must support customer-requested external penetration testing of the customer's environment.
// 03 What PCI considers an "industry-accepted methodology"
Requirement 11.4.1 demands an industry-accepted methodology. The supplemental guidance explicitly references NIST SP 800-115, OWASP and OSSTMM as examples. CyberFortify's engagements are grounded in PTES (which aligns with NIST 800-115), with OWASP Top 10 + ASVS overlay for application engagements and OSSTMM RAV reporting available on request.
The QSA does not just want a number-of-findings count. They want a documented, reproducible methodology, a coverage statement, and clean remediation evidence including retest. We design our 11.4 engagements specifically to deliver all three.
CyberFortify QSA-facing reporting// 04 Frequently asked questions
Do I need to pen test annually or after every change?
Both. Requirement 11.4.2 and 11.4.3 require annual testing; the same requirements also mandate testing "after any significant infrastructure or application upgrade or change." Most CyberFortify PCI customers run an annual primary engagement plus targeted ad-hoc engagements after major releases.
Is segmentation testing the same as network testing?
Related but distinct. Segmentation testing (11.4.5/6) specifically validates that segmentation controls separating the CDE from other networks are functioning. CyberFortify's network pen testing includes segmentation validation as a defined sub-component.
What about ASV scanning vs. pen testing?
PCI requires both. ASV (Approved Scanning Vendor) external vulnerability scanning is a separate quarterly requirement under 11.3. Pen testing under 11.4 is annual / change-driven. They are complementary, not interchangeable.