Skip to main content
Contact Us

The PCI DSS v4.0 Pen Test Playbook for Fintech & Payment Processors

Requirement 11.4 is now mandatory — and most teams don't know what QSAs actually expect to see. This playbook breaks down every sub-requirement, all 5 testing domains, and the segmentation traps that cause audit failures.

✦ Req 11.4 decoded — all 7 sub-requirements explained
✦ 5 testing domains with scope and method guidance
✦ Segmentation validation: what counts, what doesn't
✦ 12-point pre-test readiness checklist
✦ 90-day timeline from kickoff to QSA-ready report

⭐⭐⭐⭐⭐ Used by security teams at fintech companies, payment processors, and banks preparing for QSA audits.
7
Sub-Requirements
Explained
5
Testing Domains
Covered
12
Readiness Checks
Included
v4.0
Mandatory Since
March 2024
90
Day Timeline
to AOC-Ready
Requirement applies across: PCI DSS v4.0 Req 11.4 Req 6.4.2 SAQ A-EP SAQ D ROC / QSA
Sound familiar?

The Questions Every Payment Company Asks Before an Assessment

PCI DSS v4.0 raised the bar significantly. These are the uncertainties we hear most often from fintech teams and compliance leads.

📋

"What exactly changed in v4.0?"

The transition from v3.2.1 isn't cosmetic. Scope requirements expanded, methodology must now be documented and named, APIs are explicitly included, and multi-tenant platforms have brand-new obligations under Req 11.4.6–7.

🔎

"Are we actually testing the right things?"

Most pen test engagements miss connected-to systems — AD environments, monitoring platforms, CI/CD pipelines — that QSAs flag as in scope. Narrow scope is the single most common reason certifications are delayed.

📄

"Will our report pass QSA review?"

Missing CVSS scores, unnamed methodology, no segmentation test results, and absent retest attestation are the top reasons pen test reports generate RFIs. This playbook tells you exactly what auditors need.

PCI DSS v4.0 — March 2024

6 Changes That Directly Affect
Your Pen Testing Programme

v4.0 replaced v3.2.1 entirely in March 2024. These are the changes with the most impact on penetration testing scope, methodology, and obligations.

HIGHER BAR

Named Methodology Required

Your pen testing methodology must now be documented and reference a named standard: NIST SP 800-115, PTES, OWASP Testing Guide, or OSSTMM. Ad hoc testing no longer satisfies Req 11.4.1.

EXPANDED SCOPE

APIs Explicitly In Scope

v4.0 explicitly names APIs as in-scope system components. Payment APIs, webhooks, reporting endpoints, and microservice APIs connected to the CDE must be tested under Req 6.4.2 and 11.4.

NEW OBLIGATION

Multi-Tenant SP Requirements

Req 11.4.6–7: multi-tenant service providers must support customers in external pen testing — either by testing on their behalf or enabling self-testing. This is new and has no v3.2.1 equivalent.

STRICTER

Segmentation Scope Expanded

Segmentation testing must now also confirm isolation between systems at differing security levels — not just isolation of out-of-scope systems from the CDE. Dev, staging, and corporate networks are now relevant.

MANDATORY

Retest Evidence Required

v4.0 makes retest verification explicit: Critical and High findings must be retested by the original tester or independent party, with documented attestation. Self-certification by the client does not satisfy Req 11.4.4.

ACTIVE TESTING

WAF / App Security Mandated

Req 6.4.2 requires an automated technical solution that detects and prevents web application attacks. This must be validated through active testing — configuration review alone is insufficient under v4.0.

Q-Sec Coverage

5 Domains Every PCI DSS v4.0
Engagement Must Cover

A compliant pen test is not a single-surface assessment. Every vector through which an attacker could reach cardholder data must be tested and documented.

01

External Network & Perimeter

Internet-exposed attack surface: public IPs, payment gateway endpoints, cloud ingress/egress, and web application perimeter.

Req 11.4.2
02

Internal Network & CDE Infrastructure

All systems inside the perimeter connected to or supporting the CDE: servers, databases, jump hosts, admin consoles, internal APIs.

Req 11.4.3
03

Web Application & API Testing

All payment interfaces and APIs: OWASP Top 10 + API Top 10, IDOR, broken auth, business logic flaws, JWT attacks, webhook abuse.

Req 6.4.2 + 11.4
04

Network Segmentation Validation

Active confirmation that out-of-scope systems cannot reach the CDE, and that differing security levels are properly isolated.

Req 11.4.5
05

Cloud & Hybrid Infrastructure

AWS, Azure, GCP: IAM policies, storage, compute, containers, serverless, and API gateways in the CDE data path.

Req 11.4 + Cloud Guidance
Inside the Playbook

Everything in the Free Download

17 pages of clear, regulation-grounded guidance — built around how QSAs actually evaluate PCI DSS pen test evidence under v4.0.

01

What Changed in v4.0 — and Why It Matters

Side-by-side comparison of v3.2.1 vs v4.0 pen testing requirements with practical impact analysis.

02

CDE Scoping: What's Always In Scope

8-item checklist of system categories that regularly get excluded and then flagged by QSAs.

03

Requirement 11.4 Decoded — All 7 Sub-Requirements

What each sub-requirement mandates and what it means in practice for your programme.

04

5 Testing Domains with Scope & Technique Detail

Every testing domain: what's in scope, which techniques are used, which requirement it satisfies.

05

Segmentation Testing — Full Guidance

What effective segmentation means under v4.0, how it's tested, and the most common failures.

06

Cloud & Multi-Tenant Obligations (Req 11.4.6–7)

Who this applies to, what you must do, and what evidence your QSA will accept.

07

12-Point Pre-Engagement Readiness Checklist

Reduce testing time by 30% and avoid the most common findings that generate remediation cycles.

08

QSA Report Requirements + 5 Failure Patterns

Required report elements, common RFI triggers, and the top 5 failures that delay PCI certification.

Requirement 11.4.5

Segmentation Testing: The Requirement Most Companies Underestimate

Network segmentation is how most fintech companies reduce PCI scope. But having controls in place is not the same as proving they work. Under v4.0, you must actively test them — with documented results.

Q-Sec's segmentation testing goes beyond configuration review. We simulate attacks from out-of-scope systems, identify dual-homed hosts that bridge CDE and non-CDE networks, and produce QSA-format evidence for every path tested.

  • Out-of-scope systems cannot reach CDE — actively tested, not assumed
  • Systems at differing security levels are isolated (new in v4.0)
  • All segmentation methods tested: VLANs, ACLs, cloud security groups, NSGs
  • Source/destination evidence documented for QSA review
  • Service providers: every 6 months. Merchants: annually.
#1
Most common cause of delayed PCI certification: segmentation testing gaps and scoping omissions
6 mo
Segmentation retest frequency required for PCI DSS service providers under Req 11.4.5
v4.0
New: must now also test isolation between systems at differing security levels — not just CDE vs. non-CDE
100%
Q-Sec engagements include dedicated segmentation testing with QSA-format evidence documentation
Preview: 12-Point Checklist

Are You Ready to Be PCI Pen Tested?

Most organisations aren't — and pay for it in extended testing cycles and delayed AOC issuance. Here's a preview of the checklist inside the playbook:

Download Full Checklist →
  • 1
    Define CDE boundaries and all connected systems Every system that stores, processes, or transmits CHD — plus every system that can communicate with those systems.
  • 2
    Create or update your cardholder data flow diagram Map every path card data travels from entry through to card schemes. QSAs will request this document.
  • 3
    List all payment APIs, webhooks, and integration endpoints Include REST APIs, webhook receivers, SDK callbacks, and all third-party integrations (Stripe, Adyen, Worldpay, Open Banking).
  • 4
    Obtain cloud provider pen test authorisations AWS requires Customer Agreement compliance. Azure requires PT Notification. Submit at least 5 business days before testing.
  • 5
    Review previous findings and remediation status Provide the prior pen test report. Open Critical/High findings must be resolved before retest attestation can be issued.
  • + 7 more items in the full playbook Download free to access all 12 readiness checks.
Built For You

Who This Playbook Is For

💳

Payment Processors & Fintech Platforms

  • Payment processors, acquirers, and gateway operators
  • Fintech SaaS platforms handling card data flows
  • Banking-as-a-service (BaaS) and embedded finance providers
  • Multi-tenant platforms subject to Req 11.4.6–7
  • Companies preparing for Level 1 ROC or Level 2 SAQ D
  • CISOs, Security Leads, and Compliance Officers managing PCI programme
🏦

Banks, Integrators & Regulated Fintechs

  • Neobanks and digital banks with card issuance or acquiring
  • Fintech integrators building on top of payment infrastructure
  • Open Banking and PSD2-regulated payment initiation providers
  • Companies also subject to DORA, NIS2, or ISO 27001
  • CTOs and engineering leads at Series A–C stage fintechs
  • Any organisation receiving a pen test requirement from their acquiring bank
Stakeholder Value

What a Compliant PCI DSS v4.0 Pen Test
Delivers Across Your Organisation

Q-Sec's reporting is structured to be actionable at every level — from the engineering team remediating findings to the board receiving the compliance summary.

CEO / Board
  • Demonstrable due diligence
  • Reduced regulatory exposure
  • Confidence in certification status
  • Competitive trust signal
CFO / Finance
  • Avoid card scheme fines
  • Stronger cyber insurance position
  • Predictable remediation cost
  • Reduced breach cost risk
CISO / Head of IT
  • Exploitable gaps identified
  • Independent validation
  • Segmentation confirmed working
  • Improved incident resilience
Compliance & Risk
  • QSA-ready documentation
  • Retest attestation included
  • Multi-framework alignment
  • RFI-proof report format
Engineering / CTO
  • CVSS-scored finding detail
  • MITRE ATT&CK mapping
  • Dev walkthrough session
  • Actionable remediation roadmap
Questions

Common Questions Before You Download

Is penetration testing actually mandatory under PCI DSS v4.0? +
Yes, unambiguously. Requirement 11.4 mandates external penetration testing (11.4.2) and internal penetration testing (11.4.3) at least annually and after any significant change. This applies to all merchants at all levels and all service providers. Unlike some requirements where compensating controls exist, 11.4 has no substitutes — the testing must be performed and documented. What v4.0 added is greater specificity: the methodology must be named, scope must include APIs, and remediation must be independently verified.
We already had a pen test under v3.2.1. Do we need a new one for v4.0? +
If your last assessment was conducted under v3.2.1 methodology and didn't include a documented, named methodology (NIST SP 800-115, PTES, OWASP, OSSTMM), explicit API testing, segmentation testing documentation showing source/destination evidence, and a retest attestation for Critical/High findings — then yes, a new engagement is strongly advisable before your next QSA assessment. Many organisations are discovering that their v3.2.1-era reports don't satisfy v4.0 QSA expectations, leading to unexpected RFI cycles.
We use Stripe / Adyen / a hosted payment page. Does that reduce our pen test scope? +
Partially. Using a third-party hosted payment page significantly reduces your PCI scope — potentially to SAQ A if your web page does nothing to intercept the card data flow. However, your own web application, APIs, authentication systems, cloud infrastructure, and connected internal systems remain in scope for penetration testing regardless of which payment processor you use. The pen test scope is defined by what's in your Cardholder Data Environment (CDE) and everything connected to it — not by whether you store card numbers.
What does Q-Sec actually deliver, and how long does an engagement take? +
Every Q-Sec PCI DSS engagement delivers: a named-methodology documentation package, executive summary, CVSS v3.1-scored findings report with PoC evidence, MITRE ATT&CK mapping, segmentation test results with source/destination evidence, risk-ranked remediation roadmap, a developer walkthrough session, and signed retest attestation for all Critical/High findings. The full 90-day cycle (including client remediation) is mapped in the playbook. Active testing typically runs 2–4 weeks depending on scope. The complete report package is structured to be submitted directly to your QSA without additional formatting work.
What's in this playbook? Is it really free? +
100% free, no credit card required. The playbook is a 17-page PDF covering: what changed in v4.0, CDE scoping guidance, all 7 sub-requirements of Req 11.4 explained, 5 testing domains with scope and technique detail, segmentation testing guidance, cloud and multi-tenant obligations, the 12-point readiness checklist, QSA report requirements, the 5 failure patterns that delay certification, and a 90-day engagement timeline. We'll email it to you immediately after form submission.
When You're Ready to Run the Test

Get Your Free PCI DSS v4.0 Pen Test Playbook

Instant download. Used by security teams at payment processors, fintech platforms, and banks across Europe and North America. Written to reflect how QSAs actually evaluate v4.0 compliance.

🔒 No spam. Unsubscribe anytime. Q-Sec is here when you need a pen test — not before.