PCI DSS 4.0 Penetration Testing: Complete 2026 Guide

PCI DSS 4.0 requirement 11.4 mandates external and internal penetration testing at least annually and after any significant change. For service providers, segmentation testing is required every six months.

11.4.4 demands exploitable vulnerabilities and security weaknesses found during testing be corrected — and the testing repeated to verify the corrections.

If you use segmentation to reduce CDE scope, you must prove it. Testing must validate that controls preventing access from out-of-scope networks to the CDE are operational and effective.

Service providers test every 6 months. Merchants annually. Findings of inadequate segmentation expand your CDE scope — an expensive surprise mid-assessment.

Public-facing web applications must be tested for the vulnerabilities listed in requirement 6.2.4 (injection, broken auth, XSS, deserialization, SSRF, etc.).

Authenticated testing with multiple user roles is expected. A scan-only approach will not satisfy a competent QSA.

Your testing methodology document must be in writing and based on industry-accepted approaches (NIST SP 800-115, OWASP, OSSTMM, PTES). Tester independence and qualifications matter — your QSA will ask.

Reports must include scope, methodology, findings with risk ratings, evidence of exploit, and remediation guidance.

Forgotten admin panels exposed to the public internet, weak segmentation via shared jump hosts, outdated TLS in legacy payment flows, and JWT validation flaws in tokenisation services lead our PCI findings list.

Fix early. PCI re-tests are not optional, and a QSA waiting on your retest can delay your AoC by a quarter.