PCI DSS v4.0

PCI DSS Penetration Testing & Vulnerability Management

PCI DSS v4.0 tightened security testing requirements effective March 2024. Quarterly ASV scans, annual penetration testing, and continuous vulnerability management are now mandatory. KENSAI delivers all three in one platform.

Start PCI Assessment → See PCI Dashboard Demo

PCI DSS v4.0 Security Testing Requirements

PCI DSS v4.0, which became the sole active standard in March 2024, includes significant updates to security testing requirements under Requirements 11.3 and 11.4. Here's exactly what's required:

Requirement 11.3.1 — Internal Vulnerability Scans (Quarterly)

Perform internal vulnerability scans at least once every three months and after any significant change. Vulnerabilities rated High or Critical must be resolved and rescanned.

Requirement 11.3.2 — External Vulnerability Scans (Quarterly, ASV)

Perform external vulnerability scanning using an Approved Scanning Vendor (ASV) at least every three months. All external-facing IPs in the CDE must achieve a "clean" scan with no CVSS 4.0+ findings.

Requirement 11.4.1 — Penetration Testing (Annual)

A penetration testing methodology must be defined and followed. Testing must be performed at least annually and after any significant infrastructure or application upgrade.

Requirement 11.4.3 — External Penetration Testing

External penetration testing of the CDE perimeter must be performed. Testing must include network-layer and application-layer testing.

Requirement 11.4.4 — Internal Penetration Testing

Internal penetration testing of the CDE must be performed. Findings must be remediated with retesting confirming resolution.

Requirement 11.4.6 — Segmentation Testing (NEW in v4.0)

If network segmentation is used to isolate the CDE, penetration testing must verify that segmentation controls are effective. Testing at least every six months and after segmentation changes.

🚨 v4.0 New Requirements Active Now

PCI DSS v4.0 "future-dated" requirements became mandatory on March 31, 2025. This includes enhanced penetration testing scoping, segmentation testing every 6 months (up from annually), and new requirements for web application security testing. Many organizations are still catching up.

CDE Scoping: What Must Be Tested

System CategoryIn Scope?Testing Requirement
Systems storing, processing, or transmitting CHDAlways in scopeInternal + external vuln scan + pentest
Systems on the same network segment as CDEIn scope unless segmentedInternal vuln scan + pentest
Systems providing security services to CDEIn scopeInternal vuln scan + pentest
External-facing CDE componentsIn scopeASV scan + external pentest
Segmentation controlsMust be testedSegmentation penetration testing q2y

How KENSAI Supports PCI DSS Compliance

✓ ASV-Compatible External Scanning

KENSAI's external scanning meets PCI DSS ASV scanning methodology requirements. Export scan results in PCI-required formats.

✓ Quarterly Scan Scheduling

Automated quarterly scan scheduling with email notifications and compliance tracking — never miss a required scan window.

✓ CDE Asset Inventory

Automatically discovers and tracks all in-scope CDE systems, ensuring nothing is missed in your quarterly scans.

✓ Segmentation Validation

Tests that CDE network segments cannot be reached from out-of-scope systems — meeting the new 6-month segmentation testing requirement.

✓ Remediation Workflow

Track High/Critical vulnerability remediation with evidence capture and rescan confirmation — required for QSA evidence packages.

✓ PCI-Formatted Reports

Generate QSA-ready reports with vulnerability findings mapped to PCI DSS requirements and remediation status tracking.

Vulnerability Severity Thresholds for PCI DSS

PCI DSS v4.0 uses CVSS v3.1 scoring to define severity thresholds. The standard's remediation requirements:

CVSS ScoreSeverityInternal ScanExternal ASV Scan
9.0 – 10.0CriticalMust remediate before passing scanBlocks "clean" scan — must remediate
7.0 – 8.9HighMust remediate before passing scanBlocks "clean" scan — must remediate
4.0 – 6.9MediumRisk-based remediation acceptableMay pass with exception documentation
0.1 – 3.9LowDocument and trackDoes not block clean scan

Common PCI DSS Findings KENSAI Detects

Achieve PCI DSS v4.0 Compliance Faster

KENSAI delivers continuous vulnerability scanning, ASV-compatible reporting, and segmentation testing in one platform. Reduce QSA assessment time and maintain year-round PCI compliance.

Start PCI DSS Assessment → Talk to a PCI Expert

Related Articles

AWS & Azure Critical Cloud... إرشادات أمان 6G بالتصميم، مخاطر التهديدات الداخلية CVE-2025-7024: Privilege Escalation in AIRBUS PSS TETRA C Security