PCI DSS 4.0 made pentests mandatory. We do them properly.
PCI DSS 4.0 became the enforceable standard on March 31, 2025. Requirement 11.4 is explicit: annual internal penetration testing, annual external penetration testing, segmentation testing, and application-layer testing. If your QSA rejects a penetration test report, you lose compliance and your acquirer may suspend card processing within days.
Valtik runs PCI DSS 4.0 engagements for merchants, service providers, and payment processors across Connecticut, Texas, and nationwide. Every engagement maps findings directly to PCI DSS requirements so the QSA can accept the report without back-and-forth.
What is covered
External penetration test (Requirement 11.4.2)
Perimeter testing of all internet-facing systems in or connected to the cardholder data environment. We probe from an uncredentialed external attacker's perspective and validate every finding with a working proof-of-exploit before it enters the report.
- External IP range enumeration and attack surface mapping
- Web application testing against OWASP Top 10 and OWASP API Security Top 10
- Authentication and session management testing (including MFA bypass attempts)
- SSL/TLS configuration review and certificate validation
- Email security (SPF, DKIM, DMARC) and phishing infrastructure assessment
- Cloud misconfigurations (exposed S3 buckets, storage accounts, IAM policies)
- Third-party service exposures (exposed admin panels, debug endpoints, forgotten subdomains)
Internal penetration test (Requirement 11.4.3)
Testing from inside the trusted network. We simulate an insider threat or a compromised workstation and attempt lateral movement toward the cardholder data environment.
- Active Directory enumeration and privilege escalation
- Kerberos attacks (Kerberoasting, AS-REP roasting, Golden Ticket simulation)
- Network traffic analysis for credential exposure
- SMB, RDP, and internal service testing
- Legacy protocol abuse (LLMNR, NBT-NS, WPAD)
- Privileged account enumeration and session hijacking
- Lateral movement toward cardholder data systems
Segmentation testing (Requirements 11.4.5 and 11.4.6)
Annual for merchants, every six months for service providers. We validate that segmentation controls between the CDE and the rest of the environment cannot be bypassed.
- Firewall rule enumeration from non-CDE segments
- Protocol and port coverage testing
- Service-level accessibility validation
- Bypass attempts via legitimate network paths
Application-layer testing (Requirement 11.4.3)
Web applications handling cardholder data (payment pages, checkout flows, admin interfaces, customer-facing portals) receive deeper testing including business logic attacks, race conditions, insecure direct object references, and server-side request forgery.
Methodology
We test per NIST SP 800-115, OWASP Testing Guide v4.2, and PTES — all accepted under PCI DSS 4.0 Requirement 11.4.1 as industry-accepted approaches. The final report maps each finding to:
- Specific PCI DSS 4.0 requirement impacted
- CVSS 3.1 severity score
- CWE classification
- Proof of exploitation (screenshots, HTTP requests, decoded payloads)
- Remediation recommendations with code-level examples where applicable
- Retest criteria for post-remediation verification
Timeline
| Merchant level | Active testing | Reporting | Total |
|---|---|---|---|
| Level 4 (small merchant) | 5-7 days | 3-5 days | ~2 weeks |
| Level 3 | 7-10 days | 5-7 days | 2-3 weeks |
| Level 2 | 10-14 days | 5-10 days | 3-4 weeks |
| Level 1 / service provider | 15-25 days | 10-15 days | 5-8 weeks |
What you get
- Executive summary — board-ready, maps directly to QSA requirements
- Detailed findings report — every vulnerability with PCI mapping, CVSS, CWE, proof, and remediation
- Attestation letter — formal pentest attestation for your QSA package
- Retest of remediated findings — included within 90 days at no additional cost
- Q&A support for your QSA — we will answer questions from your auditor directly
Why Valtik
Our operators come from offensive security backgrounds — bug bounty programs, red team operations, and exploit development. Every finding in a Valtik report is exploited in a controlled environment before it is written up. No noise, no clickjacking-on-a-static-page theatrics, no automated-scanner screenshots passed off as manual testing.
We stay small on purpose. Your engagement is led by a senior consultant start to finish. There is no junior hand-off, no offshore report writing, and no project-management intermediary between you and the person finding your bugs.
Common questions
Does PCI DSS 4.0 actually require a pentest?
Yes. Requirement 11.4 mandates both internal and external penetration tests annually and after significant changes. Segmentation testing is required annually (or every six months for service providers).
Can you remediate the findings for us?
We can, but we typically advise clients to engage us for testing and their internal team or a separate firm for remediation. The industry best practice is separation of testing and fix to avoid conflict of interest. That said, we offer remediation advisory on an hourly basis if needed.
Is this the same as a vulnerability scan?
No. PCI DSS 4.0 explicitly separates Requirement 11.3 (vulnerability scans, automated, quarterly, ASV-certified for external) from Requirement 11.4 (penetration tests, manual, annual). You need both. Valtik performs the penetration tests; ASV scans are performed by a PCI-approved scanning vendor.
What happens if the test finds critical issues?
We notify you immediately (within 4 hours) for any finding that represents an active compromise, credential exposure, or ransomware risk. Other critical and high findings are reported continuously during the engagement so your team can begin remediation without waiting for the final report.