PCI DSS Requirement 11.4 breakdown

Requirement 11.4 mandates penetration testing to validate that security controls protecting cardholder data actually work. It’s not optional—your QSA will ask for penetration test reports during assessment, and you can’t pass certification without them.

Requirement 11.4.1

At least annually and after significant changes to external infrastructure or applications. Must cover all internet-facing systems in the CDE scope—payment gateways, e-commerce sites, APIs handling card data.

Requirement 11.4.2

At least annually and after significant changes to the internal network or systems. Must cover internal network access to CDE, including Active Directory, databases storing cardholder data, and payment processing servers.

Requirement 11.4.3

Exploitable vulnerabilities found during testing must be corrected, and testing must be repeated to verify fixes. This means you can’t just receive a report and call it done—you need to fix issues and provide retest evidence.

Requirement 11.4.4

Must use industry-accepted penetration testing methodology (OWASP, NIST, PTES, or similar). Testing must cover entire CDE perimeter and critical systems, not just automated vulnerability scanning.

Requirement 11.4.5

If using network segmentation to reduce PCI scope, penetration testing must confirm that segmentation controls are working. Must attempt to breach segmentation boundaries from both trusted and untrusted networks.

Requirement 11.4.6

Web applications handling cardholder data must undergo application-layer penetration testing that covers the OWASP Top 10 and other common vulnerabilities specific to payment processing (CVEs, injection, authentication bypass, etc.).

What we actually test

External testing

We attack your internet-facing infrastructure from outside your network the same way an external attacker would. This covers everything in your CDE that’s reachable from the internet.

  • Payment gateway and processor connections: API endpoints, tokenization services, 3DS authentication, webhook handlers
  • E-commerce applications: Checkout flows, payment forms, session management, authentication, account takeover vectors
  • Web application vulnerabilities: SQL injection, XSS, CSRF, authentication bypass, authorization flaws, business logic issues
  • Network infrastructure: Firewalls, VPN endpoints, load balancers, exposed management interfaces
  • SSL/TLS configuration: Certificate validation, cipher suites, protocol versions, forward secrecy

Internal testing

We test from inside your network assuming an attacker has already gained initial access (phishing, compromised vendor, rogue employee). Goal is to see if they can reach cardholder data.

  • Active Directory attacks: Kerberoasting, AS-REP roasting, privilege escalation, domain admin compromise
  • Lateral movement: Pass-the-hash, credential reuse, SMB relay, RDP pivoting to CDE systems
  • Database security: Direct access to databases storing PAN, authentication bypass, SQL injection from internal apps, insufficient access controls
  • Application servers: Payment processing systems, POS backend infrastructure, card data transmission paths
  • Sensitive data discovery: Unencrypted cardholder data in file shares, backups, log files, memory dumps

Segmentation testing (if applicable)

If you’re using network segmentation to reduce PCI scope, we validate that the segmentation actually works. This is critical—if segmentation fails, your entire network might be in scope.

  • Firewall bypass attempts: Testing ACLs, NAT configurations, routing misconfigurations that could allow unauthorised access to CDE
  • VLAN hopping: Double tagging, switch spoofing, attacking trunk ports
  • Physical segmentation validation: Verifying CDE is on separate switches/routers, not just logical VLANs
  • Connect-back testing: We use custom hardware devices placed in non-CDE networks, attempting to establish connections to CDE systems
  • Wireless network isolation: Testing if guest WiFi or corporate WiFi can reach CDE when it shouldn’t

What’s different about our approach

We’ve worked with multiple QSAs: We know what they look for in penetration test reports. Our documentation format matches what assessors expect, which means you won’t be asked to redo testing because the report format was wrong.

Manual testing, not just automated scans: Vulnerability scanners are required for PCI (Requirement 11.3), but they’re not sufficient for penetration testing. We perform manual exploitation, business-logic testing, and attack-chain development that scanners miss. For example: scanner finds SQLi, we exploit it to dump the customer database, including masked PANs and encryption keys.

Segmentation testing experience: We’ve built custom hardware connect-back devices for segmentation testing on multiple engagements. Most pentest firms don’t have this capability and just test firewall rules remotely, which doesn’t properly validate physical segmentation.

Understanding of payment systems: We’ve tested payment gateways, tokenisation services, POS systems, and e-commerce platforms across Stripe, Adyen, Worldpay, and custom payment processors. We know payment-specific attack vectors like race conditions in refund processing, amount manipulation, and token substitution attacks.

Cloud environment expertise: Many payment environments now run on AWS, Azure, or GCP. We test cloud-specific risks: S3 buckets with cardholder data, overly permissive IAM roles, Lambda functions processing payments, API Gateway misconfigurations, and container escape to access payment databases.

Pricing and timeline

Cost depends on CDE scope—how many applications, how many network segments, whether segmentation testing is needed, cloud vs on-premise infrastructure.

ScopeTypical priceTimeline
Small (single payment app, simple network)€3,000 – €5,0001-2 weeks
Medium (multiple apps, internal network, basic segmentation)€5,000 – €10,0002-4 weeks
Large (complex e-commerce, multi-site, extensive segmentation)€10,000 – €25,0003-6 weeks
Enterprise (multiple brands, cloud + on-prem, global infrastructure)€25,000+6-8 weeks

All prices include initial testing, comprehensive report, one round of remediation retesting, and final attestation documentation. Additional retesting rounds (if you need to retest more than once) are billed separately at daily rates.

Timeline assumes you can provide CDE access and answer scoping questions promptly. Add 1-2 weeks if we need to wait for credentials, firewall rules, or approvals from third-party providers.

Frequently Asked Questions

Is penetration testing mandatory for PCI DSS compliance?

Yes. PCI DSS Requirement 11.4 requires both external and internal penetration testing at least annually and after any significant infrastructure or application changes. It’s a mandatory requirement verified by your QSA.

How long does PCI DSS penetration testing take?

Most engagements take 2-4 weeks including testing, reporting, and initial remediation support. Complex environments may require 4-6 weeks. We recommend starting 2-3 months before your compliance deadline to allow time for remediation and retesting.

Will your reports be accepted by our QSA?

Yes. We provide PCI DSS-compliant attestation reports that include detailed methodology, findings, remediation guidance, and retest verification. Our reports have been accepted by major QSA firms and meet all PCI SSC requirements.

Do you test cloud environments (AWS, Azure, GCP)?

Absolutely. We specialise in cloud penetration testing for PCI DSS compliance, including cloud-native payment systems, containerised applications, serverless architectures, and multi-cloud environments.

What happens if you find vulnerabilities?

We provide detailed remediation guidance for all findings. Per PCI DSS 11.4.3, exploitable vulnerabilities must be fixed and retesting performed. Our service includes one round of retesting to verify fixes, and we provide updated attestation once issues are resolved.

How much does PCI DSS penetration testing cost?

Pricing depends on your CDE scope and complexity. Most engagements range from €4,000-€25,000. Contact us for a customised quote based on your specific requirements—we provide transparent pricing with no hidden fees.

Can testing disrupt our payment processing?

We use carefully controlled testing methods designed to avoid disruption. All activities are coordinated with your team, and we can schedule testing during maintenance windows or outside business hours if needed.

How do we get started?

Schedule a free consultation to discuss your CDE scope and compliance timeline. Fill out the questionnaire. We’ll provide a detailed proposal within 48 hours, and most clients can begin testing within 2-3 weeks.

Get started

Contact us with information about your CDE scope, timeline for QSA assessment (if scheduled), and whether you’re using network segmentation. We’ll provide a detailed quote within 48 hours and can usually start testing within 2-3 weeks.