Annual external and internal penetration testing of your Cardholder Data Environment, segmentation validation under 11.3.4, and a QSA-ready report with CVSS scores and named-tester attestation. PCI DSS v4.0 compliant by default.
Requirement 11.3 is specific. Three sub-requirements, each with distinct deliverables. Most QSAs will ask for evidence against all three at assessment time.
External penetration test of the CDE perimeter, annually. Must include network-layer and application-layer testing. Exploitable vulnerabilities retested after remediation. QSA reviews the report and the tester's qualifications.
Internal penetration test covering threats from inside the network. Includes lateral movement paths to the CDE, privilege escalation, and access control validation. Must be performed by a qualified, independent tester.
Every exploitable vulnerability identified must be retested after remediation to confirm closure. The retest report is what the QSA signs off on, not the original report. We include retest in every engagement.
If you use network segmentation to reduce your CDE scope, you must test that the segmentation holds. Annually, using penetration testing techniques. We test CDE-to-out-of-scope and out-of-scope-to-CDE in both directions.
PCI scope is the most consequential decision in the engagement. Too narrow and the QSA flags it. Too wide and the cost is unnecessary. We scope it with your QSA's framework in mind.
PCI DSS assessors need specific artifacts. We format every deliverable to pass QSA review without a follow-up request.
Separate sections for 11.3.1 (external) and 11.3.2 (internal). Each finding includes CVSS 4.0 vector, risk narrative, reproduction steps, and remediation. Methodology section cites PTES and OWASP WSTG.
Dedicated section or standalone report for 11.3.4. Documents what was tested, from what position, and the result of each segmentation test. Traffic captures and denial evidence included.
Each exploitable finding retested after remediation. Marked resolved, partially resolved, or accepted-risk with documented rationale. QSAs accept this as closure evidence without additional review cycles.
Named engineer, relevant certifications, confirmation of organizational independence from the CDE. PCI DSS v4.0 requires QSAs to verify tester qualifications. We provide this proactively.
The two requirements are separate. Passing one does not satisfy the other.
Quarterly automated external vulnerability scan by an Approved Scanning Vendor. Covers known CVEs against publicly reachable IPs. Passing scan = no high-severity open vulnerabilities against the CDE perimeter. Required separately from the pentest.
Annual manual test by a qualified, independent tester. Goes beyond CVE matching. It includes chaining, business logic, authentication testing, and attack paths ASV tools cannot see. A clean ASV scan does not satisfy 11.3. A clean pentest does not satisfy 11.2.
The QSA needs both. Most clients arrive at assessment with one but not the other. We often identify this gap during the scoping call and help coordinate timing with your ASV if needed.
Quarterly internal vulnerability scanning is a third separate requirement. Your internal scanner output is not the same as the internal penetration test under 11.3.2. If you run Tenable or Qualys internally, that covers 11.2.1. Our internal pentest covers 11.3.2.
What comes up on every PCI DSS scoping call. See compliance gap analysis if you need a full PCI readiness review alongside the test.
Annual external penetration test (11.3.1), annual internal penetration test (11.3.2), retesting of all exploitable vulnerabilities (11.3.3), and segmentation testing if you use network controls to reduce CDE scope (11.3.4). All four apply to most cardholder environments.
No. ASV scans satisfy Requirement 11.2 (quarterly external scanning). Penetration testing satisfies Requirement 11.3 (annual manual testing). They are separate requirements. A clean ASV scan does not replace the pentest.
PCI DSS v4.0 requires organizational independence from the tested environment. External testers satisfy this automatically. The QSA will ask for the tester's name, credentials, and confirmation that they had no involvement in managing the CDE. We provide all three in the engagement deliverables.
Within 12 months prior to the assessment. If your assessment is in Q4, run the pentest in Q1–Q2 to leave time for remediation and retest. QSAs will ask for the retest report, not just the original findings report.
Even a segmented, minimal CDE requires the annual pentest under 11.3.1 and 11.3.2. The segmentation test under 11.3.4 becomes more important, not less, because your scope reduction argument depends entirely on that segmentation holding.
Both. SAQ-D merchants with a full CDE need the complete Requirement 11.3 engagement. SAQ-A merchants using fully outsourced card data (iframe-based payment pages) often need a reduced scope test focusing on the payment integration and segmentation from the rest of the environment.
Scoping call covers your CDE boundary, segmentation controls, and QSA timeline. 30 minutes. Free. No NDA required for the first call.