Req. 11.4
Primary PCI-DSS penetration testing requirement
Compliance Guide
PCI-DSS Penetration Testing Requirements and How Sprocket Security Satisfies Them
PCI-DSS Requirement 11.4 mandates internal and external penetration testing at least annually and after any significant infrastructure change. Sprocket's continuous testing model exceeds this obligation and provides on-demand, examiner-ready evidence whenever your QSA asks for it.
Annual+
Minimum testing frequency mandated
71%
Of FS web app engagements find a critical issue on first test
The Requirement
What PCI-DSS Actually Requires
PCI-DSS v4.0 Requirement 11.4 defines the penetration testing obligations for organisations that store, process, or transmit cardholder data.
| REQUIREMENT | WHAT IT MEANS IN PRACTICE | HOW SPROCKET SATISFIES THE REQUIREMENT |
|---|---|---|
| Req. 11.4.1 | A penetration testing methodology must be defined and implemented, covering both network and application layers. | Sprocket's methodology follows PTES and OWASP standards, covering network, application, and CDE layers. Methodology documentation is available for QSA review. |
| Req. 11.4.2 | Internal penetration testing must be performed at least annually and after any significant change to the cardholder data environment. | Sprocket's continuous internal testing exceeds the annual minimum, with persistent testers who maintain context across engagements and re-test after any significant change automatically. |
| Req. 11.4.3 | External penetration testing must be performed at least annually and after any significant external-facing change. | Continuous external attack surface monitoring and scheduled external penetration tests satisfy Req. 11.4.3. On-demand reports can be generated for any period your QSA requests. |
| Req. 11.4.4 | Exploitable vulnerabilities found during testing must be corrected, and testing repeated to confirm remediation. | Sprocket's retesting workflow is built into the platform — every finding has a tracked remediation status, and retest results are documented and reportable for QSA evidence packs. |
| Req. 11.4.5 | If segmentation is used to reduce scope, penetration testing must confirm that segmentation is effective at least every six months. | Sprocket includes segmentation testing as a defined scope element for CDE environments, with scheduled cadence to satisfy the six-month requirement and documented findings. |
Why Continuous Testing
Benefits of continuous penetration testing for PCI-DSS compliance
Always-ready QSA evidence
On-demand reporting means your QSA gets what they need in minutes, not weeks of evidence scrambling before an assessment window.
Change-triggered testing
PCI-DSS requires testing after significant changes. Sprocket detects changes to your environment and triggers retesting automatically.
Tester continuity
The same testers work your environment over time, building context that makes each engagement more effective than the last.
Remediation tracking
Every finding has a documented remediation workflow. Close the loop on Req. 11.4.4 without manual tracking or disconnected spreadsheets.
Scope confidence
Continuous external monitoring surfaces assets that may have drifted in or out of your CDE scope before your QSA finds them.
Audit trail by default
Every test, finding, retest, and remediation is logged in the platform. Your audit trail is built automatically.
What we find
Common PCI-DSS Findings Sprocket Surfaces
Broken authentication in payment flows
Session management weaknesses allowing unauthorised access to cardholder data, a direct Req. 8 violation.
SQL injection in payment portal
Direct extraction of cardholder data via injection vulnerabilities, a Req. 6 violation mandating forensic investigation.
Inadequate network segmentation
CDE segmentation controls that can be bypassed, expanding scope and exposing the organisation to broader compromise.
Overpermissioned service accounts
Internal accounts with access beyond their function, creating lateral movement paths to full CDE access. Req. 7 violation.
FAQ
PCI-DSS Penetration Testing — Frequently Asked Questions
Does PCI-DSS require both internal and external penetration testing?
Yes. Requirement 11.4 mandates both internal and external testing at least annually. Sprocket covers both in a single continuous programme.
Can Sprocket provide evidence acceptable to a QSA?
Yes. Sprocket's platform generates on-demand reports documenting methodology, scope, findings, severity ratings, and remediation status - the specific evidence items QSAs look for under Req. 11.4.
How often does Sprocket test after significant environment changes?
Sprocket's attack surface monitoring detects changes to your external footprint automatically. For internal changes, your team can trigger a targeted retest through the platform at any time satisfying Req. 11.4.2 and 11.4.3 without scheduling delays.
Does Sprocket test network segmentation for CDE scope reduction?
Yes. Segmentation testing is a defined scope element for PCI-DSS engagements and can be scheduled on the six-month cadence required by Req. 11.4.5, with results documented for QSA review.
What is the difference between a vulnerability scan and a penetration test?
PCI-DSS requires both. Vulnerability scans (Req. 11.3) identify known vulnerabilities automatically. Penetration tests (Req. 11.4) go further: testers actively attempt to exploit vulnerabilities to understand real-world attack paths. Sprocket provides penetration testing; your ASV handles the required vulnerability scans.
Other Frameworks Sprocket Supports
OTHER FRAMEWORKS SPROCKET SECURITY SUPPORTS
DORA Penetration Testing That Satisfies Your Supervisory Authority
FFIEC / NCUA Penetration Testing Requirements and How Sprocket Security Satisfies Them
ISO 27001 Penetration Testing Requirements and How Sprocket Security Satisfies Them
NIST CSF Penetration Testing Requirements and How Sprocket Security Satisfies Them
SOX Penetration Testing Requirements and How Sprocket Security Satisfies Them
SWIFT CSP Penetration Testing Requirements and How Sprocket Security Satisfies Them
