TL;DR: PCI DSS 4.0 Requirement 11.4 mandates external network penetration testing at least annually plus after significant infrastructure changes. The testing must produce a documented report with scope, methodology, findings plus remediation. QSA audit reviews expect evidence of actual external testing not just vulnerability scanning. The 2026 enforcement window means Canadian merchants without prior pentest history need to build the compliance posture this calendar year.
What PCI DSS 4.0 Requirement 11.4 Actually Requires
PCI DSS 4.0 was published by the PCI Security Standards Council in early 2022 with a 36-month transition window from PCI DSS 3.2.1. The transition window closed in early 2025 plus 4.0 is the active standard across 2026. Requirement 11.4 specifies external network penetration testing as a mandatory annual control plus after any significant infrastructure or application change.
The technical scope of the external pentest covers the externally-accessible network infrastructure that hosts or supports payment card processing. This includes the public-facing web servers, the load balancers, the firewalls, the API endpoints plus the email plus DNS infrastructure that supports the payment environment. The pentest must include both network-layer testing (port scanning, service identification, vulnerability assessment) plus application-layer testing (web application vulnerability assessment, API security testing) of the external-facing components.
The Reconnaissance Phase of the Required Pentest
The reconnaissance phase is the foundation of the required pentest plus the first technical step the testing methodology covers. Reconnaissance produces the inventory of externally-accessible assets in the testing scope: the DNS records for the merchant domain, the IP address blocks that the merchant operates, the listening services on each accessible port plus the TLS plus HTTP fingerprints that identify the running software stack.
For the network-layer reconnaissance the Sherlock Port Scanner handles the per-IP plus per-port enumeration step with the discipline that pentest documentation requires. The tool produces structured output identifying the open ports, the service banners plus the TLS configuration for each listening service. The output supports the downstream vulnerability assessment step plus the chain of evidence documentation that the PCI DSS 4.0 report needs.
The Application-Layer Test Scope
The application-layer test scope covers the web applications, the API endpoints plus the authentication interfaces that support payment card processing. The 4.0 framework expanded the application-layer expectations relative to 3.2.1 to include modern API patterns (REST API authentication, JWT token handling, OAuth flow security) plus the JavaScript-heavy frontend patterns that modern e-commerce platforms use.
For Canadian merchants the application-layer scope often covers third-party components: a payment gateway integration (typically Stripe, Square, Moneris or PaySafe in Canada), a fraud detection plug-in plus an analytics framework. The pentest scope needs to confirm which components are merchant-controlled plus which are third-party-controlled, plus the testing methodology needs to apply to each accordingly. Third-party components typically carry their own compliance attestation that the merchant can reference; merchant-controlled components require direct testing.
The Methodology Documentation QSAs Look For
QSA audit reviews of PCI DSS 4.0 pentest reports look for specific methodology evidence. The report needs to document the scope (which assets were in scope plus which were excluded), the methodology (what testing was performed plus what tooling was used), the findings (what vulnerabilities or weaknesses were identified), the severity ratings (typically CVSS scoring) plus the remediation plus retest evidence.
The methodology section is where reports often fall short. QSAs distinguish between vulnerability scanning (automated tool scan with no human assessment) plus penetration testing (human-driven attack simulation with documented exploit attempts where appropriate). PCI DSS 4.0 Requirement 11.4 explicitly requires the latter. Reports that document only automated scans plus assert pentest coverage do not satisfy the requirement. The methodology documentation needs to show evidence of human assessment plus reasoned conclusions.
Why This Is a Forensic-Adjacent Skill Set
The skill set required for PCI DSS 4.0 pentest work overlaps substantially with forensic incident response. Both require deep familiarity with the same external attack surfaces, the same vulnerability classes plus the same documentation discipline that supports regulator review. The Sherlock Forensics methodology applies the same toolkit (the Sherlock Port Scanner for reconnaissance, the broader Sherlock toolkit for application-layer testing plus the standard chain of custody discipline) to PCI compliance work as to forensic engagements.
For merchants needing PCI DSS 4.0 pentest coverage the engagement model is typically annual baseline testing plus targeted retest after any significant infrastructure change. The Sherlock engagement page documents the broader services scope which includes PCI DSS pentest engagements. For merchants with internal security teams building compliance capacity the Sherlock Port Scanner product handles the reconnaissance plus baseline assessment tooling.
The Documentation Discipline for the Remediation Phase
The pentest report identifies findings; the remediation phase addresses them. PCI DSS 4.0 requires the remediation evidence to be documented as part of the compliance record. The discipline that QSAs look for is the per-finding remediation trace: each finding identified in the pentest needs an explicit remediation step (typically a patch, a configuration change or a compensating control) with evidence of the action taken plus the date.
For high-severity findings the remediation evidence needs to include a retest record confirming the finding no longer reproduces post-remediation. Medium-severity findings may accept compensating controls plus risk acceptance documentation in place of full remediation. Low-severity findings can be deferred to the next testing cycle with documented risk acceptance. The full chain (finding, severity assessment, remediation action, retest result) needs to be intact across the compliance record.
What Canadian Merchants Should Do in 2026
For Canadian merchants without prior PCI DSS pentest history the first step is confirming the merchant compliance level (1, 2, 3 or 4 based on annual transaction volume) plus the applicable Self-Assessment Questionnaire form. The second step is scoping the external network plus application footprint that handles cardholder data. The third step is engaging a qualified pentest provider for the annual baseline test plus building the documentation framework that supports subsequent QSA review.
For merchants with prior PCI DSS 3.2.1 pentest history the transition to 4.0 expands the application-layer scope plus tightens the methodology documentation expectations. Many 3.2.1-era pentest reports do not meet 4.0 requirements for methodology evidence. Updating the testing approach plus the report template for 4.0 expectations is the priority for 2026.
The Sherlock Forensics methodology aligns with PCI Security Standards Council guidance plus the Sherlock toolkit handles the technical work that the methodology requires. For organizations building internal compliance capacity the Sherlock Port Scanner storefront documents pricing plus licensing. For organizations preferring external engagement the Sherlock services engagement model handles the full pentest scope plus the compliance documentation framework.