Framework B.08 · PCI DSS v4.0

PCI DSS v4.0 - Requirement 11.4 and audit-ready penetration testing evidence.

PCI DSS v4.0 is the global payment-card security standard. Requirement 11.4 mandates regular penetration testing of cardholder data environments. CyberFortify's network and web application pen testing services produce audit-ready evidence for every sub-requirement under 11.4.1 through 11.4.7 plus segmentation testing under Requirement 1.

Maintainer: PCI Security Standards Council Version: 4.0 (with v4.0.1 errata) Effective: March 2024 (full enforcement March 2025)
12
Top-level requirements
11.4
Pen testing requirement
Annual
Min frequency
CDE
Cardholder data env
Requirement 11.4: 11.4.1 Methodology · 11.4.2 Internal pen testing · 11.4.3 External pen testing · 11.4.4 Remediate exploitable · 11.4.5 Segmentation testing · 11.4.6 Service-provider extra controls · 11.4.7 Multi-tenant providers Requirement 11.4: 11.4.1 Methodology · 11.4.2 Internal pen testing · 11.4.3 External pen testing · 11.4.4 Remediate exploitable · 11.4.5 Segmentation testing · 11.4.6 Service-provider extra controls · 11.4.7 Multi-tenant providers
// Executive summary

PCI DSS v4.0 Requirement 11.4 is the headline penetration testing requirement covering internal, external and segmentation testing. CyberFortify's reports are explicitly mapped to 11.4.1 - 11.4.7 so QSA engagement is straightforward.

// 01 What PCI DSS v4.0 actually is

// DefinitionPCI DSS v4.0

The Payment Card Industry Data Security Standard, mandated globally by the major card brands (Visa, Mastercard, American Express, Discover, JCB) for any organisation that stores, processes or transmits cardholder data.

Twelve top-level requirements covering network security, data protection, vulnerability management, access control, monitoring and policy. Requirement 11.4 is the penetration testing requirement - the headline change in v4.0.

PCI DSS v4.0 brought significant penetration testing changes from v3.2.1, including stricter segmentation testing requirements, explicit obligations on service providers, and tighter expectations on what constitutes "industry-accepted" methodology. CyberFortify's engagements are explicitly designed to satisfy the v4.0 expectations.

// 02 Requirement 11.4 sub-requirements

11.4.1Foundational

Methodology defined

"A penetration testing methodology is defined, documented and implemented." CyberFortify's grounded in PTES and aligned with NIST 800-115 - satisfies this directly.

11.4.2Annual

Internal penetration testing

"Internal penetration testing is performed... at least once every 12 months and after any significant infrastructure or application upgrade or change." Our internal network pen testing satisfies this.

11.4.3Annual

External penetration testing

"External penetration testing is performed... at least once every 12 months and after any significant infrastructure or application upgrade or change." Our external network and web application pen testing satisfies this.

11.4.4Remediation

Exploitable vulnerabilities corrected

"Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected." CyberFortify's free remediation retest produces the explicit evidence this requirement asks for.

11.4.5Segmentation

Segmentation testing

"If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls." Our internal pen testing includes segmentation validation.

11.4.6Service providers

Service-provider segmentation (6mo)

For service providers using segmentation: testing every 6 months and after changes. More frequent than the 11.4.5 baseline.

11.4.7Multi-tenant

Multi-tenant penetration testing

Multi-tenant service providers must support customer-requested external penetration testing of the customer's environment.

// 03 What PCI considers an "industry-accepted methodology"

Requirement 11.4.1 demands an industry-accepted methodology. The supplemental guidance explicitly references NIST SP 800-115, OWASP and OSSTMM as examples. CyberFortify's engagements are grounded in PTES (which aligns with NIST 800-115), with OWASP Top 10 + ASVS overlay for application engagements and OSSTMM RAV reporting available on request.

The QSA does not just want a number-of-findings count. They want a documented, reproducible methodology, a coverage statement, and clean remediation evidence including retest. We design our 11.4 engagements specifically to deliver all three.

CyberFortify QSA-facing reporting

// 04 Frequently asked questions

Do I need to pen test annually or after every change?

Both. Requirement 11.4.2 and 11.4.3 require annual testing; the same requirements also mandate testing "after any significant infrastructure or application upgrade or change." Most CyberFortify PCI customers run an annual primary engagement plus targeted ad-hoc engagements after major releases.

Is segmentation testing the same as network testing?

Related but distinct. Segmentation testing (11.4.5/6) specifically validates that segmentation controls separating the CDE from other networks are functioning. CyberFortify's network pen testing includes segmentation validation as a defined sub-component.

What about ASV scanning vs. pen testing?

PCI requires both. ASV (Approved Scanning Vendor) external vulnerability scanning is a separate quarterly requirement under 11.3. Pen testing under 11.4 is annual / change-driven. They are complementary, not interchangeable.

Ready for a PCI DSS v4.0-aligned engagement?

Schedule a 30-minute scoping call. CyberFortify will scope the CDE, recommend the right offensive testing services and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →