PCI DSS v4.0 tightened security testing requirements effective March 2024. Quarterly ASV scans, annual penetration testing, and continuous vulnerability management are now mandatory. KENSAI delivers all three in one platform.
Start PCI Assessment → See PCI Dashboard DemoPCI DSS v4.0, which became the sole active standard in March 2024, includes significant updates to security testing requirements under Requirements 11.3 and 11.4. Here's exactly what's required:
Perform internal vulnerability scans at least once every three months and after any significant change. Vulnerabilities rated High or Critical must be resolved and rescanned.
Perform external vulnerability scanning using an Approved Scanning Vendor (ASV) at least every three months. All external-facing IPs in the CDE must achieve a "clean" scan with no CVSS 4.0+ findings.
A penetration testing methodology must be defined and followed. Testing must be performed at least annually and after any significant infrastructure or application upgrade.
External penetration testing of the CDE perimeter must be performed. Testing must include network-layer and application-layer testing.
Internal penetration testing of the CDE must be performed. Findings must be remediated with retesting confirming resolution.
If network segmentation is used to isolate the CDE, penetration testing must verify that segmentation controls are effective. Testing at least every six months and after segmentation changes.
PCI DSS v4.0 "future-dated" requirements became mandatory on March 31, 2025. This includes enhanced penetration testing scoping, segmentation testing every 6 months (up from annually), and new requirements for web application security testing. Many organizations are still catching up.
| System Category | In Scope? | Testing Requirement |
|---|---|---|
| Systems storing, processing, or transmitting CHD | Always in scope | Internal + external vuln scan + pentest |
| Systems on the same network segment as CDE | In scope unless segmented | Internal vuln scan + pentest |
| Systems providing security services to CDE | In scope | Internal vuln scan + pentest |
| External-facing CDE components | In scope | ASV scan + external pentest |
| Segmentation controls | Must be tested | Segmentation penetration testing q2y |
KENSAI's external scanning meets PCI DSS ASV scanning methodology requirements. Export scan results in PCI-required formats.
Automated quarterly scan scheduling with email notifications and compliance tracking — never miss a required scan window.
Automatically discovers and tracks all in-scope CDE systems, ensuring nothing is missed in your quarterly scans.
Tests that CDE network segments cannot be reached from out-of-scope systems — meeting the new 6-month segmentation testing requirement.
Track High/Critical vulnerability remediation with evidence capture and rescan confirmation — required for QSA evidence packages.
Generate QSA-ready reports with vulnerability findings mapped to PCI DSS requirements and remediation status tracking.
PCI DSS v4.0 uses CVSS v3.1 scoring to define severity thresholds. The standard's remediation requirements:
| CVSS Score | Severity | Internal Scan | External ASV Scan |
|---|---|---|---|
| 9.0 – 10.0 | Critical | Must remediate before passing scan | Blocks "clean" scan — must remediate |
| 7.0 – 8.9 | High | Must remediate before passing scan | Blocks "clean" scan — must remediate |
| 4.0 – 6.9 | Medium | Risk-based remediation acceptable | May pass with exception documentation |
| 0.1 – 3.9 | Low | Document and track | Does not block clean scan |
KENSAI delivers continuous vulnerability scanning, ASV-compatible reporting, and segmentation testing in one platform. Reduce QSA assessment time and maintain year-round PCI compliance.
Start PCI DSS Assessment → Talk to a PCI Expert