PCI DSS 4.0 Compliance
We Satisfy PCI DSS 4.0 Requirement 11.4
Compliant pentests with QSA-ready reports. Since 2006.
Sherlock Forensics satisfies PCI DSS 4.0 Requirement 11.4. We deliver QSA-ready penetration test reports covering internal networks, external perimeter, application layer and segmentation validation. 20 years of PCI compliance testing. CISSP, ISSAP, ISSMP certified. Vancouver, serving all of Canada. From $5,000 CAD.
PCI DSS 4.0
Requirement 11.4: What It Demands
Internal Penetration Testing
Requirement 11.4.2 mandates penetration testing from inside the network targeting the cardholder data environment. The test must attempt lateral movement from non-CDE segments into CDE systems, test for privilege escalation and evaluate whether an insider or compromised host could reach stored cardholder data. This is not a vulnerability scan. It is hands-on exploitation by a qualified tester who documents every path attempted and every control that held or failed.
External Penetration Testing
Requirement 11.4.3 requires penetration testing from outside the network perimeter. The tester must target all public-facing systems within PCI scope, including payment pages, APIs, administrative portals and any infrastructure that processes or transmits cardholder data. The external test simulates what an internet-based attacker sees and can exploit. Findings must be scored and mapped to specific PCI DSS requirements.
Segmentation Validation
Requirement 11.4.5 requires testing of segmentation controls that isolate the CDE from out-of-scope systems. If you rely on segmentation to reduce your PCI scope, you must prove those controls work under adversarial conditions. Service providers must test segmentation every six months. Merchants must test annually. Failure to validate segmentation means your entire network is in scope for PCI compliance.
Documented Methodology
Requirement 11.4.1 demands a defined, documented and implemented penetration testing methodology based on industry-accepted approaches. The PCI SSC references NIST SP 800-115, PTES and OWASP Testing Guide as acceptable frameworks. Your methodology must cover both network-layer and application-layer testing. It must address internal and external perspectives. Your QSA will review this methodology document before accepting your test results.
Application-Layer Testing
PCI DSS 4.0 requires application-layer penetration testing covering at minimum the vulnerabilities listed in Requirement 6.2.4. This goes beyond the OWASP Top 10. Testers must evaluate custom payment applications, third-party integrations and any web application that could provide a pathway into the CDE. Business logic flaws, authentication bypass and injection attacks must all be tested manually.
Annual Testing and Significant Changes
Penetration testing is required at least annually and after any significant change to the environment. PCI DSS 4.0 defines significant changes as new system components, network architecture changes, operating system or application upgrades, firewall rule changes and any modification to the CDE. If you make a significant change mid-year, you need another penetration test covering the affected scope.
Methodology Mapping
How We Map to Every Sub-Requirement
| Requirement | What PCI DSS 4.0 Demands | Sherlock Methodology |
|---|---|---|
| 11.4.1 | Defined, documented and implemented penetration testing methodology | PTES-aligned methodology documented in our scope agreement. Reviewed by QSA before testing begins. |
| 11.4.2 | Internal penetration testing at least annually and after significant changes | ShadowTap device deployed inside CDE. Lateral movement, privilege escalation and credential harvesting tested from internal perspective. |
| 11.4.3 | External penetration testing at least annually and after significant changes | Full external assessment of all public-facing CDE systems. Network and application layers tested from our lab infrastructure. |
| 11.4.4 | Exploitable vulnerabilities found during testing are corrected and retested | Remediation retest included in every engagement. Updated report confirms closure with evidence. |
| 11.4.5 | Segmentation controls tested at least annually (every six months for service providers) | Second ShadowTap on non-CDE segment. Controlled penetration attempts toward CDE with pass/fail documentation. |
| 11.4.6 | Segmentation testing after changes to segmentation controls or methods | On-demand segmentation retest available within 5 business days of your change window. |
| 11.4.7 | Multi-tenant service provider segmentation testing between tenant environments | Cross-tenant isolation testing with separate ShadowTap devices in each tenant segment. Evidence package for each tenant boundary. |
Every finding in our report references the specific PCI DSS 4.0 sub-requirement it maps to. Your QSA receives a one-to-one mapping between our test cases and the requirements they need to validate. No ambiguity. No gaps.
Deliverables
What Your QSA Receives
Structured Report Format
Our reports follow a format QSAs recognize immediately. Executive summary with risk ratings. Technical findings with full exploitation evidence including screenshots, command output and data accessed. Each finding scored with CVSS 3.1 and mapped to the specific PCI DSS 4.0 sub-requirement. Remediation guidance with priority levels based on exploitability and business impact.
Scope and Methodology Evidence
The report opens with a scope attestation document listing every IP address, hostname and application URL tested. It includes the dates of testing, the methodology used and the tools deployed. Your QSA can verify that the scope matches your CDE documentation and that no systems were excluded without justification.
Remediation Tracking and Retest
We track every finding through remediation. When your team fixes a vulnerability, we retest it and update the report with closure evidence. The final report includes a remediation summary table showing each finding's original status, fix date and retest result. This is the evidence your QSA needs to mark Requirement 11.4.4 as satisfied.
- Deliverables Checklist
- Scope attestation letter with CDE boundaries documented. Methodology document referencing PTES and NIST SP 800-115. External penetration test report with CVSS-scored findings. Internal penetration test report with lateral movement analysis. Segmentation validation report with pass/fail evidence per control. Application-layer test results mapped to Requirement 6.2.4 vulnerabilities. Remediation retest report with closure evidence. Executive summary suitable for board-level reporting.
Engagement Timeline
Timeline and Process
| Phase | Duration | What Happens |
|---|---|---|
| Scoping | 1-2 days | Review network diagrams and CDE boundaries. Define scope document. Ship ShadowTap if internal testing is included. |
| External Testing | 3-5 days | Network and application-layer penetration testing of all external CDE systems from our lab. |
| Internal Testing | 3-5 days | Internal CDE testing and segmentation validation via ShadowTap. Lateral movement and privilege escalation testing. |
| Report Delivery | 3-5 days | Full QSA-ready report with CVSS-scored findings, exploitation evidence and remediation roadmap. |
| Remediation Retest | 2-3 days | Retest remediated findings. Issue updated report with closure evidence for your QSA. |
Total engagement timeline: 2 to 3 weeks from scoping call to final report. Remediation retest is included in the engagement price and can be scheduled up to 90 days after the initial report. If your QSA assessment has a hard deadline, tell us during scoping and we will structure the timeline accordingly.
Track Record
20 Years of PCI Compliance
Before PCI 3.0 Existed
Sherlock Forensics has delivered PCI penetration tests since 2006. We performed our first PCI engagement under version 1.1 of the standard. We have tested through every revision: 2.0, 3.0, 3.1, 3.2, 3.2.1 and now 4.0. When the requirements change, we do not scramble to adapt. We have already been through the cycle. Our methodology documents, report templates and testing procedures are updated for each new version before the compliance deadline arrives.
Credentials That Matter
Our lead testers hold CISSP, ISSAP and ISSMP certifications from ISC2. These are not entry-level credentials. ISSAP covers security architecture. ISSMP covers security management and governance. Combined with two decades of PCI-specific testing, this is the experience your QSA expects to see behind the penetration test report they are reviewing.
QSA Relationships
We have worked with QSAs from every major assessor firm operating in Canada. We know what they look for, what they reject and what makes their review process faster. Our reports are structured to answer QSA questions before they are asked. Scope documentation, methodology references, finding-to-requirement mapping and remediation evidence are all formatted the way assessors expect to receive them.
Frequently Asked Questions
PCI DSS 4.0 Penetration Testing FAQs
- What changed from PCI DSS 3.2.1 to 4.0 for penetration testing?
- PCI DSS 4.0 renumbered the penetration testing requirement from 11.3 to 11.4 and introduced stricter methodology documentation requirements. Requirement 11.4.1 now demands a defined, documented and implemented methodology. The standard also introduced a customized approach as an alternative to the defined approach, giving organizations flexibility in how they demonstrate compliance.
- What does PCI DSS 4.0 Requirement 11.4.1 require for methodology?
- Requirement 11.4.1 requires a penetration testing methodology that is defined, documented and implemented. It must include industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide or PTES. It must cover the entire CDE perimeter and critical systems, include network-layer and application-layer testing, and address both internal and external perspectives.
- How does Sherlock handle segmentation testing under Requirement 11.4.5?
- We deploy ShadowTap devices on non-CDE segments and perform controlled penetration attempts toward CDE systems. Every test case is documented with pass/fail evidence that QSAs can verify independently. Service providers must test every six months. Merchants must test annually. We maintain your segmentation test schedule and notify you before the next test is due.
- What qualifications should a PCI DSS 4.0 penetration tester hold?
- PCI DSS 4.0 requires testers to be qualified with relevant certifications and demonstrated competence. The PCI SSC does not mandate specific certifications but expects organizational independence and expertise. Sherlock Forensics testers hold CISSP, ISSAP and ISSMP certifications from ISC2. Our firm has delivered PCI penetration tests since 2006.
- Can a single penetration test satisfy both PCI DSS 4.0 and SOC 2?
- Yes. A properly scoped penetration test can satisfy both PCI DSS 4.0 Requirement 11.4 and SOC 2 Common Criteria CC7.1 and CC7.2. We structure dual-framework engagements with a single testing phase and two report outputs: one mapped to PCI DSS 4.0 sub-requirements and one mapped to SOC 2 trust services criteria. This reduces cost and avoids duplicate testing windows.
Get Started
Order Your PCI DSS 4.0 Penetration Test
QSA-ready reports mapped to every Requirement 11.4 sub-requirement. Internal and external testing with segmentation validation. Remediation retest included. From $5,000 CAD.
From Our Blog
Related Reading
PCI DSS 4.0 Pentest Requirements: What Changed and What Your QSA Expects
A detailed breakdown of the Requirement 11.4 changes in PCI DSS 4.0. Methodology documentation, segmentation testing frequency and what your QSA will ask for.
10 Questions to Ask Before Hiring a Penetration Tester
A buyer's guide to hiring a penetration tester. 10 essential questions covering certifications, manual testing, compliance reports and retesting.
Scope Your PCI 4.0 Penetration Test
Tell us about your cardholder data environment, segmentation controls and compliance timeline. We will provide a fixed-price quote within one business day.
Call 604.229.1994- Phone
- 604.229.1994
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada
- Typical Timeline
- 2-3 weeks from scoping call to final report