← SERVICESv.2026.04
[ PCI DSS · v4.0.1 ]

PCI DSS Penetration Testing

Annual penetration testing that satisfies PCI DSS v4.0.1 Requirement 11.4 — internal, external, and segmentation testing of your cardholder data environment, in a report your QSA will accept.

Book a scoping callSee a sample report
[ 01 ] WHAT PCI DSS REQUIRES

The requirement, in plain terms.

PCI DSS Requirement 11.4 mandates penetration testing of your cardholder data environment (CDE) at least annually and after any significant change to the environment.

REQUIREMENT 11.4

Internal and external penetration testing of the CDE, plus testing to validate that segmentation controls isolate the CDE from out-of-scope systems.

FREQUENCY

At least annually, and after any significant change to the environment — new infrastructure, new applications, or material architecture changes.

WHO NEEDS IT

Any organization that stores, processes, or transmits cardholder data: fintech, payment processors, e-commerce, and SaaS handling payments.

[ 02 ] INCLUDED

What's in our PCI DSS engagement.

5–10 days · from $15,000 · retests for HIGH and CRITICAL findings included.

  • External penetration testing of internet-facing CDE systems
  • Internal penetration testing from within the network perimeter
  • Segmentation testing to validate CDE isolation
  • Application-layer testing of payment flows
  • Findings mapped to PCI DSS v4.0.1 Requirement 11.4
  • Methodology disclosure (PTES, OWASP, NIST SP 800-115)
  • Retests for HIGH and CRITICAL findings
  • QSA-ready executive and technical reporting
[ 03 ] WHY WATCH OWL LABS

Why teams choose us for PCI DSS.

01QSA-ACCEPTED REPORTS

Our reports are structured the way assessors expect — scope boundary statements, methodology disclosure, and control mapping. Your QSA validates, doesn't interpret.

02SEGMENTATION DONE RIGHT

We test segmentation the way an attacker would attempt to cross it, not just a config review — so your scope reduction actually holds up.

03FAST ENOUGH FOR YOUR ASSESSMENT WINDOW

Most engagements run 5–10 business days. We schedule around your assessment date, not the other way around.

[ 04 ] PRICING

Starting at $15,000.

Final scope depends on the size of your CDE, number of in-scope applications, and whether segmentation testing is required. We set final scope and price on a 30-minute call — no obligation.

Book a scoping call
[ 05 ] FAQ

PCI DSS pentest questions.

01Does your report satisfy PCI DSS Requirement 11.4?+

Yes. Findings are mapped directly to Requirement 11.4 and the report includes the scope, methodology, and segmentation testing your QSA needs to validate the control.

02Do you test segmentation?+

Yes. We actively attempt to cross segmentation boundaries between the CDE and out-of-scope systems, which is what 11.4.6 requires after significant change.

03How often does PCI DSS require a pentest?+

At least annually, and after any significant change to your environment. Many organizations schedule it ahead of their annual assessment.

04What affects the price?+

The size of your cardholder data environment, the number of in-scope applications, and whether internal and segmentation testing are required. Engagements start at $15,000.

[ 06 ] OTHER FRAMEWORKS
SOC 2HIPAAAI Red TeamingAll services & pricing
[ ENGAGE ]

Ready for your PCI DSS pentest?

Book a 30-minute scoping call. We'll confirm scope, timeline, and price — and how the report maps to your PCI DSS requirements.

Book a scoping call