PCI DSS 4.0 Penetration Testing: What's New and How to Prepare

Key Takeaways

  • PCI DSS 4.0's penetration testing requirements (Requirement 11.4) became fully mandatory on March 31, 2025, introducing stricter documentation mandates, expanded scoping to include critical systems connected to the CDE, and new obligations for multi-tenant service providers to support customer testing.
  • Organizations must now develop, document, and implement their own penetration testing methodology covering network-layer and application-layer testing, while also addressing all identified vulnerabilities—not just critical and high-risk ones—through a risk-based remediation approach.
  • New client-side security requirements (6.4.3 and 11.6.1) demand comprehensive monitoring and management of payment page scripts, representing a significant expansion of penetration testing scope to address modern threats like Magecart and e-skimming attacks.

The Payment Card Industry Data Security Standard has undergone its most significant update in over a decade. PCI DSS 4.0, released in March 2022 and now fully enforced as of March 31, 2025, fundamentally transforms how organizations must approach penetration testing. For businesses that store, process, or transmit cardholder data, these changes aren't merely procedural adjustments—they represent a paradigm shift toward more rigorous, documented, and comprehensive security validation.

The stakes couldn't be higher. With credit card fraud losses projected to exceed $12.5 billion in the United States alone by the end of 2025 and the average data breach costing $4.88 million in 2024 (reaching $9.36 million for U.S. organizations), the financial consequences of inadequate security testing are devastating. Payment data was involved in 9% of all breaches in 2024, with retail and e-commerce sectors reporting that 32% of their breaches were tied specifically to payment data compromises.

Against this backdrop, PCI DSS 4.0 introduces penetration testing requirements designed to address evolving threats, particularly the rise of client-side attacks that traditional security measures often miss. Organizations that process payment cards must understand not only what has changed but also how to implement these requirements effectively to protect their customers' data and their own business continuity.

This comprehensive guide breaks down everything you need to know about PCI DSS 4.0 penetration testing requirements, from the specific technical mandates to practical implementation strategies that will help your organization achieve and maintain compliance.

Understanding PCI DSS 4.0: The Compliance Timeline and Context

The Evolution to Version 4.0

PCI DSS 4.0 represents the first major revision of the standard since version 3.2.1, introducing 64 new requirements spread across three implementation phases. The Payment Card Industry Security Standards Council (PCI SSC) designed these updates to address the rapidly evolving threat landscape, particularly the sophistication of attacks targeting payment processing systems.

The compliance timeline proceeded in stages. PCI DSS 4.0 officially took effect on March 31, 2024, when organizations were required to begin transitioning from version 3.2.1. However, the most consequential changes—including the enhanced penetration testing requirements—were designated as "future-dated" best practices until March 31, 2025. As of that date, these 51 previously optional requirements became mandatory for all assessments.

For organizations whose Report on Compliance (ROC) was issued before the March 2025 deadline, many of these requirements were simply marked as "Not Applicable" by assessors. Now, however, every organization seeking PCI DSS compliance must demonstrate full adherence to the enhanced penetration testing framework.

Why Penetration Testing Requirements Were Enhanced

The expansion of penetration testing requirements in PCI DSS 4.0 reflects several critical developments in the threat landscape. Traditional server-side security measures, while still essential, have proven insufficient against modern attack vectors. Cybercriminals increasingly exploit client-side vulnerabilities, particularly through attacks on JavaScript and other scripts executing in consumers' browsers during payment transactions.

Magecart attacks exemplify this threat evolution. These sophisticated schemes inject malicious code into payment pages, capturing cardholder data directly from users' browsers without triggering server-side defenses. According to DataDome's 2024 Global Bot Security Report, 65% of websites remain vulnerable to even basic security attacks—highlighting the urgent need for more comprehensive testing approaches that version 4.0 now mandates.

The updated standard acknowledges that penetration tests must go beyond checking boxes. They must simulate realistic attack scenarios that reflect how actual adversaries operate, including those who may have already achieved initial access through phishing, compromised credentials, or other means.

The New Penetration Testing Framework: Requirement 11.4 Explained

Requirement 11.4.1: Methodology Documentation

Perhaps the most significant procedural change in PCI DSS 4.0 is the explicit requirement for organizations to define, document, and implement their own penetration testing methodology. This represents a shift from the previous version, which was less specific about methodology ownership and documentation.

Under Requirement 11.4.1, your penetration testing methodology must include several specific elements. First, it must incorporate industry-accepted penetration testing approaches. The PCI SSC recognizes several frameworks, including NIST SP 800-115 (the National Institute of Standards and Technology's Technical Guide to Information Security Testing and Assessment), the OWASP Testing Guide, the Penetration Testing Execution Standard (PTES), and the Open Source Security Testing Methodology Manual (OSSTMM).

Your methodology must also specify coverage for the entire cardholder data environment (CDE) perimeter and all critical systems. This comprehensive scoping requirement means penetration testers cannot simply focus on the most obvious targets—they must systematically evaluate every system that could impact the security of cardholder data.

Application-layer penetration testing is explicitly required and must address, at minimum, the vulnerabilities identified in Requirement 6.2.4. These include injection attacks such as SQL, LDAP, and XPath injection, as well as cross-site scripting (XSS), attacks on cryptographic implementations, business logic vulnerabilities, and access control mechanism flaws.

Network-layer penetration testing must encompass all components that support network functions, including operating systems, firewalls, switches, routers, and any other infrastructure elements that could provide attackers with pathways to cardholder data.

Additionally, your methodology must incorporate a review of threats and vulnerabilities experienced in the previous 12 months. This dynamic element ensures your testing approach evolves with the threat landscape rather than remaining static against emerging attack vectors.

Organizations that outsource penetration testing—as many do—should understand that the methodology requirement doesn't transfer to the testing vendor. While your penetration testing provider can contribute expertise and suggest appropriate frameworks, the organization itself remains responsible for maintaining documented methodology that aligns with its specific environment and risk profile. Working with experienced cybersecurity advisory services can help you develop and document a methodology that meets these requirements.

Requirement 11.4.2 and 11.4.3: Internal and External Testing

PCI DSS 4.0 continues to require both internal and external penetration testing, but with enhanced clarity around execution and qualification requirements.

Internal penetration testing (Requirement 11.4.2) must be performed according to your defined methodology, at least once every 12 months, and after any significant infrastructure or application changes. The test must be conducted by a qualified internal resource or qualified external third party, with organizational independence of the tester being required—though testers are not required to be Qualified Security Assessors (QSAs) or Approved Scanning Vendors (ASVs).

The qualification of internal testers is an area where PCI DSS 4.0 provides guidance without mandating specific certifications. Assessors will evaluate tester qualifications by examining certifications, experience, methodology employed, and tools used. This means organizations conducting internal testing must be prepared to demonstrate their testers' competence through documented credentials and experience.

External penetration testing (Requirement 11.4.3) mirrors the internal testing requirements but focuses on your organization's internet-facing perimeter. Testing from outside your network—what the standard terms "testing the exposed external perimeter of trusted networks"—targets systems accessible from public network infrastructure.

The distinction between external and internal testing is critical. External testing simulates attacks from adversaries who have no prior access to your network, while internal testing assumes some level of initial access has been achieved. Both perspectives are necessary because real-world breaches frequently involve attackers who gain initial access through one vector (such as phishing) and then pivot internally to reach payment systems.

For organizations seeking to maximize the value of their penetration testing investment, network penetration testing services that combine both external and internal perspectives provide the most comprehensive security validation.

Requirement 11.4.4: Remediation and Retesting

The remediation requirements in PCI DSS 4.0 represent one of the most important practical changes for organizations. Under Requirement 11.4.4, all exploitable vulnerabilities and security weaknesses identified during penetration testing must be corrected—and crucially, penetration testing must be repeated to verify those corrections.

This verification requirement eliminates a common gap in previous compliance cycles where organizations would receive penetration test reports, address findings, but never validate that their remediation efforts actually resolved the vulnerabilities. The follow-up testing specifically targets the vulnerabilities found in the original assessment rather than requiring a complete retest of the entire environment.

A significant enhancement in version 4.0 is the risk-based approach to remediation prioritization. While previous versions required remediation of high-risk and critical vulnerabilities identified through internal scans, version 4.0 expands this to require addressing lower-risk vulnerabilities as well, based on targeted risk analysis. This means organizations must evaluate and document their risk assessment for all findings, not just the most severe ones.

The practical implication is that your penetration test report should no longer return with only critical and high findings addressed while medium and low findings languish indefinitely. Organizations must either remediate these issues or document an analysis showing how they are being resolved according to a risk-based timeline.

Requirement 11.4.5: Segmentation Testing

Network segmentation is a common strategy for reducing PCI DSS compliance scope. By isolating the cardholder data environment from other network segments, organizations can limit the number of systems subject to PCI DSS requirements. However, this approach only works if the segmentation controls actually function as intended.

Requirement 11.4.5 mandates penetration testing of segmentation controls at least once every 12 months and after any changes to segmentation controls or methods. This testing must cover all segmentation controls in use and confirm that out-of-scope systems are effectively isolated from systems within the CDE.

PCI DSS 4.0 adds important clarification to segmentation testing requirements. Testing must now confirm isolation not only of out-of-scope systems but also of "systems with differing security levels"—an aspect not explicitly addressed in version 3.2.1. This expansion recognizes that effective segmentation involves more than simply separating PCI and non-PCI systems; it requires proper isolation between systems of varying sensitivity levels throughout the environment.

If your organization relies on segmentation to reduce compliance scope, inadequate segmentation testing can have severe consequences. A failed segmentation test effectively means your entire network may be in scope for PCI DSS—dramatically increasing compliance complexity and cost.

Requirement 11.4.6 and 11.4.7: Service Provider Requirements

PCI DSS 4.0 introduces significant new requirements specifically targeting service providers, particularly those operating multi-tenant environments.

Requirement 11.4.6, applicable only to service providers, requires biannual validation of logical separation controls through penetration testing. Multi-tenant service providers must conduct additional biannual penetration tests to ensure adequate customer separation within their environments. This heightened frequency reflects the increased risk inherent in multi-tenant architectures where a failure in logical separation could expose multiple customers' data simultaneously.

Requirement 11.4.7 addresses a longstanding challenge for organizations whose cardholder data environments reside in third-party cloud infrastructure. Historically, some cloud service providers resisted allowing customers or their penetration testers to probe systems hosted in shared environments. PCI DSS 4.0 definitively resolves this ambiguity.

As of March 31, 2025, multi-tenant service providers must either allow their customers direct access to perform external penetration testing or conduct the testing themselves and provide passing results to customers. Some sensitive details may be redacted to protect the service provider's infrastructure or other tenants, but the fundamental right to validate security through penetration testing is now unequivocal.

This requirement removes any doubt that cloud customers have the right to get someone to penetration test their own assets in someone else's cloud. Organizations relying on cloud infrastructure for payment processing should review their service agreements and ensure their cloud providers are prepared to support this requirement.

Client-Side Security: Requirements 6.4.3 and 11.6.1

The Rise of Client-Side Attacks

Among the most significant additions in PCI DSS 4.0 are requirements specifically targeting client-side security—an area that previous versions of the standard largely overlooked. Requirements 6.4.3 and 11.6.1 respond directly to the explosion of client-side attacks that have compromised millions of payment cards in recent years.

Client-side attacks, exemplified by Magecart-style skimming, exploit vulnerabilities in JavaScript and other scripts executing in consumers' browsers during payment transactions. Unlike traditional server-side attacks, these threats can intercept cardholder data before it even reaches your servers, bypassing virtually all traditional security controls. The attack surface expands with each third-party script loaded on payment pages—and modern websites often load dozens of such scripts.

The PCI SSC explicitly acknowledges in version 4.0 that "scripts loaded and executed on the payment page can undergo changes without an entity's knowledge." This recognition drives the new requirements for comprehensive script management and change detection.

Requirement 6.4.3: Payment Page Script Management

Requirement 6.4.3 mandates that all payment page scripts loaded and executed in consumers' browsers must be managed through a documented process. Specifically, organizations must implement a method to confirm that each script is authorized before it can execute on payment pages. This authorization process must include verification that each script is necessary and that its inclusion has been explicitly approved by an authorized individual.

Organizations must maintain an inventory of all scripts executing on payment pages, including detailed information such as each script's name, version, and purpose. This inventory enables organizations to understand precisely what code runs during payment transactions and to identify unauthorized additions quickly.

For each script in the inventory, a written justification must document why the script is necessary. This requirement forces organizations to critically evaluate each script rather than allowing marketing tags, analytics tools, and other third-party code to accumulate unchallenged on payment pages.

Finally, a method must be implemented to assure the integrity of each script. Integrity controls verify that scripts have not been modified or tampered with since their authorization—a critical defense against injection attacks that modify legitimate scripts to capture cardholder data.

The practical challenge for many organizations lies in gaining visibility into what scripts actually execute on their payment pages. Modern web applications often load scripts dynamically, and third-party scripts may themselves load additional fourth-party scripts without the organization's knowledge. Organizations benefit from working with application penetration testing services that specifically evaluate client-side security controls.

Requirement 11.6.1: Change and Tamper Detection

Requirement 11.6.1 complements the script management requirements by mandating detection and alerting mechanisms for unauthorized changes to payment pages. Organizations must deploy a change- and tamper-detection mechanism that evaluates HTTP headers received and payment page contents as transmitted to consumers' browsers.

The detection mechanism must alert personnel when unauthorized modifications are identified. Alerts should trigger at least weekly, or more frequently if your risk analysis warrants increased monitoring. Many organizations are implementing continuous monitoring solutions that detect changes in real-time rather than relying on weekly manual checks.

The standard specifically calls out security-impacting HTTP headers as elements requiring monitoring. Headers such as Content-Security-Policy, which can restrict what scripts are allowed to execute, are particularly critical. Unauthorized modifications to such headers could enable attackers to inject malicious code without triggering other security controls.

Organizations with embedded payment pages from third-party payment processors face specific considerations. Version 4.0.1 clarified that merchants are responsible for scripts loaded into their own web pages (the parent page) but not for scripts loaded within iframes containing payment pages from payment processors. The payment processor bears responsibility for scripts within their iframe. However, merchants should still implement controls to validate and restrict what sources can be loaded in the iframe, using mechanisms like Content-Security-Policy headers with the frame-src directive.

Documentation and Evidence Requirements

What Your Assessor Will Expect

PCI DSS 4.0 places significantly greater emphasis on documentation than previous versions. For penetration testing specifically, organizations must be prepared to provide assessors with comprehensive evidence of their compliance.

Your documented penetration testing methodology must be available for review, demonstrating alignment with industry-accepted frameworks and coverage of all required testing areas. This isn't a document that can be hastily created before an assessment—it must reflect your actual testing practices and be consistently applied across engagements.

Penetration test reports must be retained and available for review. The standard requires maintaining these reports for at least 12 months, though legal or contractual obligations may require longer retention. Reports should include complete information about test scope, methodology applied, all identified vulnerabilities with detailed descriptions, risk and impact assessments, remediation recommendations, and retest results confirming remediation effectiveness.

Some assessors may request that reports include the exact date and time vulnerabilities were identified and exploited, as well as corresponding information for when issues were marked as resolved after retesting. Building this level of detail into your testing and reporting processes from the start saves significant effort when assessment time arrives.

Remediation evidence must demonstrate that all identified vulnerabilities have been addressed according to your risk-based prioritization. This includes documentation of the risk assessment performed for each finding and the timeline applied for remediation.

Targeted Risk Analysis

Version 4.0 introduces the concept of targeted risk analysis (TRA) as a mechanism for organizations to customize certain control frequencies and approaches based on their specific risk environment. For penetration testing, TRA plays a role in determining remediation timelines for lower-risk vulnerabilities and may influence testing frequency decisions.

A properly documented TRA for penetration testing should identify the specific risks being assessed, the factors considered in the analysis (asset criticality, threat likelihood, potential impact), the conclusions reached, and the approved approach based on those conclusions. Organizations using TRA to justify extended remediation timelines or specific testing approaches must be prepared to defend those decisions to assessors.

Where version 4.0 allows TRA-based frequencies—such as for the cadence of change detection checks under 11.6.1—organizations must finalize and document these analyses and ensure their monitoring activities align with the determined intervals.

Preparing Your Organization for Compliance

Assessing Your Current State

Before implementing enhanced controls, organizations should evaluate their current penetration testing practices against PCI DSS 4.0 requirements. Key questions to address include whether you have a documented penetration testing methodology that meets the standard's specific requirements, whether your testing scope covers the entire CDE perimeter, critical systems, and client-side components of payment pages, and whether your remediation process addresses all findings (not just critical and high) with documented risk assessments.

Organizations should also evaluate whether segmentation controls are tested according to the new frequency requirements and whether segmentation testing confirms isolation of systems with differing security levels. For those relying on cloud infrastructure, confirming that your service provider supports external penetration testing per Requirement 11.4.7 is essential.

If your organization hasn't yet implemented client-side security controls for payment pages, assessing what scripts currently execute during payment transactions is a critical first step. You cannot manage risks you cannot see, making comprehensive script inventory the foundation for meeting Requirements 6.4.3 and 11.6.1.

Building a Compliant Penetration Testing Program

Developing a penetration testing program that meets PCI DSS 4.0 requirements involves several key components.

First, establish or update your methodology documentation. If you're starting from scratch, begin with an industry-accepted framework such as NIST SP 800-115 or the OWASP Testing Guide and customize it to your specific environment. Document how the methodology addresses each element required by 11.4.1, including scoping procedures, testing techniques, and reporting standards.

Second, ensure your testing scope is comprehensive. Work with your internal teams or external testing providers to map all systems that should be included in penetration testing. This mapping should identify not only obvious CDE components but also supporting systems that could impact cardholder data security—authentication systems, network infrastructure, logging and monitoring platforms, and any client-side elements of payment pages.

Third, establish remediation and retesting procedures. Define how penetration test findings will be triaged, assigned to responsible parties, tracked through remediation, and verified through retesting. Build risk assessment into this process so that prioritization decisions are documented and defensible.

Fourth, implement client-side security controls. For payment pages, this may involve deploying specialized solutions that can inventory scripts, monitor for changes, enforce authorization policies, and verify script integrity. Whether building in-house capabilities or adopting third-party solutions, ensure the approach addresses both Requirements 6.4.3 and 11.6.1 comprehensively.

Finally, consider the timing and frequency of testing activities. While annual testing is the minimum, organizations with dynamic environments may benefit from more frequent assessments. Testing should also occur after significant changes to infrastructure or applications—define what constitutes a "significant change" in your environment and ensure testing is triggered appropriately.

Selecting a Qualified Testing Partner

For organizations that outsource penetration testing, selecting the right partner is critical for achieving PCI DSS compliance and obtaining maximum security value from testing engagements.

The PCI SSC recommends evaluating potential providers based on specific penetration testing certifications that validate tester skill and competence. Valuable certifications include CREST, OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert), CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), and GSNA (GIAC Systems and Network Auditor).

Beyond certifications, evaluate providers on their experience conducting penetration testing specifically for PCI DSS compliance. Ask about the number of years of PCI-specific experience, the types and sizes of environments they've tested, and their familiarity with the enhanced 4.0 requirements.

The best penetration testing relationships function as partnerships rather than transactions. Seek providers who understand your business context, can adapt to your operational constraints, will grow with your security maturity, and provide value beyond the test itself through education and guidance. Engaging vCISO services can help oversee your overall security testing strategy and ensure penetration testing integrates effectively with your broader security program.

Common Compliance Pitfalls to Avoid

As organizations implement PCI DSS 4.0 penetration testing requirements, several common mistakes can undermine compliance efforts.

Treating penetration testing as a checkbox exercise rather than a security initiative leads to superficial testing that misses real vulnerabilities while technically meeting minimum requirements. Organizations that approach testing with genuine security improvement goals consistently achieve better outcomes.

Failing to document methodology before testing begins creates compliance gaps even when testing itself is thorough. Assessors expect to see documented methodology that predates the test, not documentation created after the fact to justify what was done.

Neglecting client-side security is perhaps the most common gap in organizations transitioning to 4.0 compliance. Requirements 6.4.3 and 11.6.1 represent entirely new obligations that many organizations have yet to address comprehensively.

Incomplete remediation undermines the value of penetration testing. Receiving a report, fixing some findings, and filing the report without verification leaves organizations exposed and non-compliant with 11.4.4's retesting requirement.

Insufficient evidence retention creates problems at assessment time. Maintain complete records of methodology, reports, remediation actions, and retesting results for at least 12 months—and consider longer retention based on your assessment cycle and legal requirements.

The Future of PCI DSS Penetration Testing

Continuous Testing Models

The industry is moving toward continuous penetration testing models that provide ongoing validation rather than point-in-time assessments. While PCI DSS 4.0 requires annual testing at minimum, leading organizations are adopting approaches that include automated testing tools running continuously against external assets, monthly or quarterly manual testing of high-risk components, comprehensive assessments annually or semi-annually, and immediate testing after significant changes.

This continuous approach aligns with the reality that environments change constantly and new vulnerabilities emerge daily. Annual testing alone can leave organizations exposed for months between assessments.

AI and Automation in Testing

Artificial intelligence is increasingly being incorporated into penetration testing tools and methodologies. AI-enhanced vulnerability discovery can identify complex patterns that human testers might miss, while automated attack simulation platforms provide ongoing validation between manual assessments.

However, the creative thinking and business context that human testers provide remains irreplaceable. PCI DSS 4.0's emphasis on manual expertise in Requirement 11.4.1 reflects this reality—automated tools complement but cannot substitute for skilled penetration testers who can chain vulnerabilities together and identify business logic flaws that automated tools cannot comprehend.

Regulatory Convergence

PCI DSS penetration testing requirements increasingly align with those from other regulatory frameworks. HIPAA is moving toward mandatory annual penetration testing for healthcare organizations. The EU's Digital Operational Resilience Act (DORA), updated SWIFT security requirements, and enhanced SEC cybersecurity rules all incorporate penetration testing expectations.

Organizations subject to multiple regulatory frameworks can often leverage PCI DSS penetration testing to satisfy overlapping requirements, but must ensure testing scope and methodology address each framework's specific mandates. Working with compliance-focused cybersecurity advisors helps navigate these intersecting requirements efficiently.

Schedule a Consultation

PCI DSS 4.0's enhanced penetration testing requirements represent both a compliance obligation and an opportunity to strengthen your organization's security posture against increasingly sophisticated threats. The expanded scope, documentation mandates, and client-side security requirements demand careful planning and execution.

Don't wait until your next assessment to discover gaps in your penetration testing program. Contact Essendis today to discuss your PCI DSS 4.0 compliance needs. Our team of certified professionals can help you develop compliant methodology, conduct thorough testing, and build a sustainable program that protects your customers' cardholder data while meeting the standard's requirements.

FAQ: PCI DSS 4.0 Penetration Testing

Q1: What are the key changes to penetration testing in PCI DSS 4.0?

A: PCI DSS 4.0 introduces several significant changes to penetration testing requirements. The most notable is the explicit mandate for organizations to define, document, and implement their own penetration testing methodology (Requirement 11.4.1). This methodology must cover industry-accepted approaches, comprehensive scoping of the CDE and critical systems, application-layer and network-layer testing, and review of threats and vulnerabilities from the past 12 months.

The standard also expands remediation requirements to address all identified vulnerabilities through a risk-based approach—not just critical and high-severity findings. New client-side security requirements (6.4.3 and 11.6.1) mandate script management and change detection for payment pages. Additionally, Requirement 11.4.7 now requires multi-tenant service providers to support their customers' external penetration testing, resolving previous ambiguity about testing rights in cloud environments.

Q2: How often must penetration testing be performed under PCI DSS 4.0?

A: Under PCI DSS 4.0, penetration testing is required at least annually and after any significant changes to the cardholder data environment or related critical systems. For organizations using network segmentation to reduce compliance scope, segmentation controls must also be tested annually and after any changes to segmentation methods.

Service providers face additional frequency requirements. Multi-tenant service providers must conduct biannual (twice yearly) penetration testing to validate logical separation controls between tenants. Organizations should also consider testing more frequently than the minimum based on their risk profile—many security-mature organizations conduct quarterly testing or implement continuous testing programs.

Q3: What is the difference between internal and external penetration testing under PCI DSS?

A: External penetration testing simulates attacks from outside your network, targeting systems and services accessible from the internet such as your perimeter defenses, public-facing web applications, and external network services. This testing answers the question: "What could an attacker with no prior access accomplish from the outside?"

Internal penetration testing simulates attacks from within your network, assuming an attacker has already breached the perimeter or represents an insider threat. This testing evaluates how well your internal controls limit damage and prevent attackers from reaching cardholder data once they've gained initial access. Both perspectives are required by PCI DSS because real-world breaches often involve attackers gaining initial access through one vector (like phishing) and then moving laterally to reach payment systems.

Q4: What qualifications do penetration testers need for PCI DSS compliance?

A: PCI DSS 4.0 does not mandate specific certifications for penetration testers. The standard requires that testing be performed by a qualified internal resource or qualified external third party with organizational independence from the systems being tested. Assessors will evaluate tester qualifications by examining certifications, experience, methodology used, and tools employed.

The PCI SSC recommends seeking testers with recognized certifications such as CREST, OSCP, OSCE, CISSP, CEH, or GSNA. Equally important is experience conducting penetration tests specifically for PCI DSS compliance, familiarity with payment system architectures, and the ability to identify business logic vulnerabilities in addition to technical flaws. The key is demonstrating competence—not merely holding credentials without practical expertise.

Q5: What are Requirements 6.4.3 and 11.6.1, and why do they matter for penetration testing?

A: Requirements 6.4.3 and 11.6.1 address client-side security for payment pages—an area not explicitly covered in previous PCI DSS versions. Requirement 6.4.3 mandates that all scripts executing on payment pages must be authorized, inventoried with written justification, and subject to integrity verification. Requirement 11.6.1 requires mechanisms to detect and alert on unauthorized changes to payment page content and security-impacting HTTP headers.

These requirements matter for penetration testing because they expand the testing scope to include client-side attack vectors. Penetration testers must now evaluate whether organizations have effective controls to prevent and detect Magecart-style attacks and other client-side threats. Testing should verify that script inventory processes work, authorization controls are effective, integrity mechanisms detect tampering, and change detection alerts function properly. Organizations that haven't implemented these controls face significant compliance gaps.

Q6: How should vulnerabilities found during penetration testing be handled?

A: Under Requirement 11.4.4, all exploitable vulnerabilities and security weaknesses found during penetration testing must be corrected according to your organization's risk assessment, and penetration testing must be repeated to verify the corrections. This is a significant change from previous versions, which focused primarily on critical and high-risk findings.

Organizations must document a risk-based approach to prioritization, addressing critical vulnerabilities immediately while establishing appropriate timelines for lower-risk findings based on targeted risk analysis. The verification requirement means you cannot simply close findings administratively—actual retesting must confirm that remediation was effective. Retesting can focus specifically on the identified vulnerabilities rather than requiring complete retest of the entire environment.

Q7: Do penetration testing requirements apply if we use a payment processor's hosted payment page?

A: If you use a fully hosted payment page where customers are redirected entirely to a third-party payment processor's website (not an iframe), Requirements 6.4.3 and 11.6.1 may not apply to your environment—but they become the payment processor's responsibility. However, you remain responsible for other applicable requirements, including managing your relationship with the payment processor and monitoring their PCI DSS compliance per Requirement 12.8.

If you embed a payment processor's page via iframe on your website, Requirements 6.4.3 and 11.6.1 apply to your parent page, though the payment processor is responsible for scripts within their iframe. Best practice is to still implement Content-Security-Policy headers with frame-src directives to restrict what sources can be loaded in the iframe. Standard penetration testing requirements (11.4.1 through 11.4.5) continue to apply to your overall cardholder data environment regardless of payment processing method.

Q8: What documentation must be maintained for PCI DSS penetration testing compliance?

A: Organizations must maintain several types of documentation for penetration testing compliance. First, a documented penetration testing methodology that addresses all elements of Requirement 11.4.1, including industry-accepted approaches, scoping procedures, and risk assessment methods. Second, complete penetration test reports containing scope, methodology, findings, risk assessments, and remediation recommendations—retained for at least 12 months.

Additionally, maintain remediation documentation showing how each finding was addressed, including risk assessments justifying prioritization decisions. Retesting documentation must confirm remediation effectiveness for identified vulnerabilities. If using targeted risk analysis to customize approaches, document the analysis methodology, factors considered, and conclusions reached. For client-side security, maintain script inventories with written justifications and records of change detection alert configurations and responses.

Q9: Can penetration testing disrupt our payment processing operations?

A: When conducted by qualified professionals following proper rules of engagement, penetration testing is designed to minimize operational disruption. Experienced testing firms coordinate closely with your IT team, schedule testing during low-traffic periods when possible, and avoid techniques that could cause system crashes without explicit permission.

Black box testing activities—scanning, probing, testing authentication mechanisms—typically don't interfere with normal operations since they mirror the reconnaissance activities that actual attackers conduct daily. Internal and gray box testing involves more interaction with systems and may generate additional log entries or test data, but professional testers use non-destructive methods and avoid actions that could impact production systems without coordination. For mission-critical payment systems, testing against staging environments that mirror production configurations can eliminate risk entirely while still providing meaningful security validation.

Q10: How do we know if our penetration testing program meets PCI DSS 4.0 requirements?

A: Evaluate your program against the specific requirements in section 11.4. Verify that you have a documented methodology covering industry-accepted approaches, comprehensive scoping, application and network layer testing, and threat/vulnerability review. Confirm that testing occurs at minimum annually for both internal and external assessments, with additional testing after significant changes.

Review your remediation process to ensure all findings—not just critical and high—are addressed with documented risk assessments, and that retesting verifies remediation. If using segmentation, verify that segmentation controls are tested annually with coverage of all isolation mechanisms. For payment pages, confirm that Requirements 6.4.3 and 11.6.1 controls are implemented and that testing validates their effectiveness.

If you're uncertain whether your program meets requirements, engage a qualified assessor or compliance advisor for a gap assessment before your formal PCI DSS evaluation. Identifying gaps early provides time to implement necessary improvements rather than discovering deficiencies during assessment.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.