Standard Pentest Logo
Standard Pentest

PCI DSS Penetration Testing

PCI DSS Requirement 11.4 mandates internal and external penetration testing at least annually and after any significant change. StandardPentest delivers a PCI-aligned penetration test (internal, external, and segmentation) with QSA-friendly reporting and a free retest, in 24 hours. Built specifically for the evidence your QSA will request.

What We Test

  • External penetration testing per Requirement 11.4.3 against all in-scope external interfaces
  • Internal penetration testing per Requirement 11.4.2 against the cardholder data environment (CDE)
  • Segmentation testing per Requirement 11.4.5 to validate isolation between the CDE and out-of-scope networks
  • Application-layer testing of any in-scope web applications and APIs that touch CHD or SAD
  • Authentication, authorization, and session management for systems handling cardholder data
  • Network and host-level vulnerabilities aligned to PCI DSS v4.0 testing procedures
  • Detection and response coverage for in-scope systems

Our Methodology

Every PCI engagement is scoped against your QSA-defined CDE boundary and PCI scope diagram. The workflow runs in four phases: scope validation against your network diagram and data-flow diagram, automated and manual vulnerability discovery aligned to PCI DSS v4.0 testing procedures, exploitation under tightly controlled rules of engagement, and reporting in a format QSAs accept. We coordinate with your QSA on request before final delivery.

What You Get

  • An executive summary aligned to Requirement 11.4 testing procedures
  • Internal, external, and segmentation findings reported separately with per-finding CVSS 3.1 scoring
  • Explicit segmentation results stating whether the CDE is isolated from out-of-scope networks
  • An attestation letter naming the systems tested, the dates, the methodology, and the outcome
  • A free retest of remediated findings within 90 days, with an updated attestation letter for your audit
  • Direct mapping of every finding to PCI DSS v4.0 requirements and testing procedures

Frequently Asked Questions

Will your test satisfy our QSA?

Yes. Our deliverables are built from the format QSAs ask for under PCI DSS v4.0, and we have shipped reports accepted by every major QSA. We will adjust the deliverable on request before final submission at no extra cost.

Do we need separate internal, external, and segmentation tests?

Requirement 11.4 calls for all three. We deliver them as one engagement with three clearly separated sections in the report, which is what QSAs prefer to see.

What about service providers?

If you are a PCI service provider, we test against the same Requirement 11.4 controls plus the additional service-provider testing obligations. Tell us your role at scoping and we'll align the engagement.

When should we test in the audit cycle?

Annually at minimum, plus after any significant change to the CDE. For Type II-style continuous compliance, we recommend testing 60-90 days before your QSA's onsite work so remediated findings can be retested before the audit closes.

Schedule a Pentest

Tell us your audit window and CDE scope and we'll work backwards from your QSA's deadline.