Home › PCI DSS Penetration Testing

PCI DSS Penetration Testing

Meet your annual PCI DSS penetration testing requirement with a rigorous, human-led assessment and audit-ready reporting your QSA will accept.

Get a Quote

PCI DSS Requirement 11.4

PCI DSS v4.0 Requirement 11.4 mandates that organizations perform penetration testing of their cardholder data environment (CDE) at least once every 12 months, and after any significant infrastructure or application changes. The testing must cover both internal and external network layers as well as application-layer testing of systems in scope.

This isn't a checkbox exercise — the standard requires a methodology based on industry-accepted approaches, performed by a qualified and organizationally independent tester.

Requirement 11.4.1

A penetration testing methodology is defined, documented, and implemented by the entity, and includes coverage of all CDE system components, testing from both inside and outside the network, and testing to validate any segmentation controls.

Requirement 11.4.2

Internal penetration testing is performed at least once every 12 months and after any significant infrastructure or application upgrade or change.

Requirement 11.4.3

External penetration testing is performed at least once every 12 months and after any significant infrastructure or application upgrade or change.

Requirement 11.4.4

Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected, and testing is repeated to verify the corrections.

What Our PCI Pen Test Covers

Our PCI DSS penetration tests are scoped to meet the standard's requirements and satisfy your QSA:

  • External network penetration testing — Attack simulation against your public-facing CDE systems and network perimeter
  • Internal network penetration testing — Simulation of a threat inside your network targeting cardholder data systems
  • Application-layer testing — Security testing of web applications and APIs that process, store, or transmit cardholder data
  • Segmentation validation — Testing to confirm that out-of-scope systems cannot reach the CDE, as required by 11.4.5
  • Remediation verification — Retest of identified vulnerabilities after fixes are applied, satisfying Requirement 11.4.4

Audit-Ready Deliverables

Every PCI pen test engagement includes documentation your QSA needs to close out the requirement:

  • Written methodology document describing the approach, tools, and scope
  • Executive summary and technical findings report
  • Evidence of both internal and external testing coverage
  • Segmentation test results (if applicable)
  • Remediation verification report after fixes are applied
  • Tester qualification documentation demonstrating organizational independence

Why Red Forge Security

PCI DSS requires testing by a qualified tester who is organizationally independent from the systems being tested. Our team brings the credentials and documented methodology your QSA expects:

  • OSCP, OSEP, OSWA, OSWP — industry-recognized offensive security certifications
  • Experience testing payment environments across retail, hospitality, and financial services
  • Transparent, fixed-rate pricing — no surprise costs at the end of the engagement
  • Clear reporting written to satisfy QSA review, not just internal teams

Schedule Your PCI Pen Test

Most PCI penetration tests can be scoped and started within two weeks. Contact us to discuss your CDE scope and get a quote.

Contact Red Forge Security