PCI DSS v4.0.1. Internal. External. Segmentation.
PCI DSS is one of the few frameworks that literally requires a penetration test. Requirement 11.4.1 through 11.4.7 mandate testing of the cardholder data environment, annually and after any significant change. Cyber Node delivers engagements scoped to each specific PCI requirement, with reports Australian QSAs accept as evidence.
Requirement 11.4
PCI DSS v4.0.1 became mandatory on 31 March 2025. The Requirement 11.4 family is the penetration testing obligation. Every sub-requirement is quoted directly below.
11.4.1 Methodology documented
A penetration testing methodology is defined, documented, and implemented, covering industry-accepted approaches, coverage of the full CDE perimeter, internal testing, validation of segmentation, and application-layer testing.
11.4.2 Internal penetration testing
Internal penetration testing performed at least once every 12 months and after any significant infrastructure or application change.
11.4.3 External penetration testing
External penetration testing performed at least once every 12 months and after any significant infrastructure or application change.
11.4.4 Exploitable findings remediated and retested
Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected, and the corrections are verified by repeating the testing.
11.4.5 Segmentation tested annually
If segmentation is used to isolate the CDE from other networks, penetration testing of those segmentation controls is performed at least once every 12 months and after any change to segmentation controls or methods.
11.4.6 Service provider segmentation every 6 months
For service providers, segmentation penetration testing is performed at least once every six months and after any change to segmentation controls.
11.4.7 Multi-tenant service providers
Multi-tenant service providers support customer penetration testing through either method-based or written procedures.
What we deliver, what we refer
In scope for Cyber Node
External CDE penetration test
Internal CDE penetration test
Segmentation testing (11.4.5 and 11.4.6)
Application-layer testing against CDE apps
Free retest within 60 days (11.4.4)
Direct coordination with your QSA
Out of scope, we refer
Report on Compliance (RoC)
Must be produced by a QSA firm. We introduce you.
Self-Assessment Questionnaire (SAQ) preparation
Specialist PCI consultancies or QSAs.
External ASV scanning (Requirement 11.3.2)
Must be performed by a PCI-approved ASV.
Scope reduction and tokenisation strategy
Refer to PCI consultancies or payment architects.
Continuous compliance monitoring
Vanta, Drata, or equivalent.
PCI FAQ
Yes. PCI DSS v4.0.1 Requirement 11.4.1 through 11.4.7 explicitly mandate penetration testing of the cardholder data environment. Testing must be performed at least annually and after any significant change to the environment.
SAQ D (service providers and merchants with significant environments) carries the full Requirement 11.4 obligation. SAQ A, A-EP, B, and C have reduced obligations but may still require segmentation testing or scoping confirmation. Cyber Node confirms your obligation during scoping.
Yes. Requirement 11.4.5 requires segmentation controls to be tested at least annually (every six months for service providers). Cyber Node delivers segmentation testing as a standalone engagement or bundled with the annual internal or external test.
Requirement 11.3.1 (internal scans) and 11.3.2 (external ASV scans) are separate from 11.4 penetration testing. Cyber Node can deliver internal scanning. External ASV scans must be performed by a PCI-approved ASV; we refer to ASVs directly.
Yes. Reports are formatted for QSA evidence, and we routinely join walkthroughs with the QSA where it helps. Cyber Node is not a QSA; PCI attestation work must be performed by a QSA firm.