PCI-DSS 4.0 doesn't make pentesting optional. If you process credit cards, Requirement 11.3 says you need an annual pentest of your cardholder data environment. We deliver QSA-ready reports in 5 business days, scoped to your specific payment infrastructure.
Version 4.0 tightened the testing requirements. Here's what that means for your business and why skipping it isn't an option.
This is the one that matters. It mandates annual pentesting of your Cardholder Data Environment and every system connected to it. External testing, internal testing, and application assessment are all in scope.
Visa and Mastercard don't bluff about PCI enforcement. Failing compliance can mean monthly fines from $5K to $100K+, higher processing fees, or losing your merchant account entirely. That last one shuts down your ability to take cards.
Payment card breaches are brutal. Legal fees, notification costs, forensic investigations, and the reputational hit. A pentest finds the holes before an attacker does. That's always the cheaper path.
If you accept credit cards, your merchant account is a lifeline. PCI compliance keeps it in good standing. Losing it means you can't process payments, and getting a new one after non-compliance is hard.
Everything that touches, stores, or transmits cardholder data. Plus the systems around it that could provide a path in.
The CDE is ground zero. We test the systems that actually handle card data: POS terminals, payment gateways, databases storing card info, and backup systems. If it touches cardholder data, it's in scope.
PCI requires your CDE to be segmented from the rest of your network. We test whether that segmentation actually holds up. Can someone on the guest Wi-Fi reach the payment network? We find out.
Who can get into the payment systems, and how? We test for default credentials, weak passwords, MFA bypasses, and privilege escalation. If there's a way to get unauthorized access, we'll find it.
Card data needs to be encrypted in transit and at rest. We verify that's actually happening. Weak TLS configs, unencrypted database fields, and poor key management are common findings.
PCI wants you logging access to cardholder data systems. We check that logs exist, that they're tamper-resistant, and that alerts actually fire when something suspicious happens.
Are your payment systems patched? Are there known vulnerabilities sitting unpatched on critical systems? We check patch levels, security configs, and whether your defenses would stop exploitation of known CVEs.
Five phases. We start by mapping your payment environment and end with a report your QSA can actually use.
We identify all systems in your cardholder data environment and figure out the full scope of what needs testing. This includes systems directly in the CDE and anything connected to it.
Payment gateways, e-commerce platforms, and anything internet-facing gets tested for vulnerabilities an outside attacker could exploit to reach card data.
We simulate an attacker who's already inside your network. Can they move laterally into the CDE? Are the access controls between network segments actually stopping anything?
Wi-Fi networks near payment systems are a real risk. We check whether wireless access could give someone a path to your CDE.
Findings documented with CVSS scores, PCI requirement mapping, and remediation guidance. Formatted for your QSA or acquiring bank.
Everything you need for your merchant account file and PCI assessment.
Professional report addressing Requirement 11.3 specifically. Testing methodology, findings with CVSS scoring, and remediation recommendations. Built for PCI compliance review.
If you need a full QSA assessment, our documentation supports it. Scope definition, methodology, and findings summary in the format that payment processors and acquiring banks expect to see.
90-minute consultation after delivery. We go over findings, help prioritize what to fix first, and discuss timelines that'll satisfy your PCI auditor.
After remediation, we verify your fixes and document the improvements. Good for your merchant account file and shows your acquiring bank you follow through.
Scoped to your payment environment. Annual testing keeps your PCI compliance current.
Custom-scoped to your payment environment
Test early. Fix what you find. Don't wait until your merchant account renewal is breathing down your neck.
Testing early in the year gives you time to fix issues before your merchant account renewal. Your acquiring bank can see that you tested, found problems, fixed them, and verified the fixes. That's the cycle they want to see.
Answers to the questions we hear from merchants and e-commerce businesses.
Yes. Requirement 11.3 is explicit: annual penetration testing of your CDE. If you accept credit cards, this isn't optional.
Your merchant account is at risk. Card brands enforce PCI compliance with fines from $5K to $100K+ per month, increased processing fees, or straight-up merchant account suspension. Losing the ability to process cards is a business killer.
We coordinate with your team to avoid disruption. Most testing is non-destructive. We can schedule active testing during off-peak hours, and you'll see the full scope before we start. If something needs to be done during business hours, we'll discuss it ahead of time.
It fulfills Requirement 11.3. If you need a full QSA assessment, our documentation feeds directly into that process. Smaller merchants who self-assess with an SAQ typically just need the annual pentest.
We document them clearly and give you specific fix guidance. Critical findings in payment systems need fast attention. We can retest after you've remediated to verify the fixes are solid and update the documentation.
PCI-DSS requires a qualified external tester. All testing is performed by Miguel Velazco, who holds OSCP and CRTO certifications. That meets the industry standard for qualified penetration testers.
No. PCI requires a current annual test. Using an old report is a compliance violation. Your environment changes throughout the year, so last year's results don't reflect your current risk anyway.
Pentesting typically doesn't require one since we don't maintain ongoing access to your payment systems. If you need a confidentiality or security agreement, we can work that out.
Satisfy Requirement 11.3. QSA-ready documentation. Scoped to your payment systems. 5-day turnaround.
OSCP-certified, meets PCI tester requirements
CDE testing for e-commerce and retail
Documentation your acquiring bank expects