Updated On 22 December, 2022

PCI Penetration Testing - What’s New in PCI DSS 4.0

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) provides businesses with technical and operational requirements to guide them in protecting cardholder account data. While the standard is heavily focused on payment card account data, businesses that are required to be PCI DSS compliant can leverage this requirement as an opportunity to improve the security of their entire digital ecosystem throughout the compliance process.

Major credit card companies, including American Express, Mastercard, Visa, and Discover are the primary stakeholders that enforce PCI DSS compliance. PCI DSS non-compliance penalties can cost a business anywhere from $5k-$100k per month. These fines are steep for a reason: by helping enforce the security of cardholder data, PCI is helping to manage the security risks associated with fraud and identity theft. When a business is not compliant with PCI DSS, their customers’ payment cards are at risk of data exposure.


On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) released the latest version of the Payment Card Industry Data Security Standard, PCI DSS 4.0, which is a set of requirements designed to enforce strong security practices to protect cardholder data and enable widespread adoption of these security measures globally. You can read about the full updates including PCI DSS 4.0 pentests here.

The PCI SSC has allocated time for organizations to transition to PCI DSS 4.0, implementing a transition period that extends from now until March 2024. Up until March 31, 2024, organizations can continue certifying their PCI DSS compliance with adherence to PCI DSS v3.2.1 requirements. Once version PCI DSS version 3.2.1 is retired after the transition period in 2024, PCI DSS 4.0 will take precedence and become the new standard that organizations will be required to adhere to for PCI DSS compliance.

Is Penetration Testing Required for PCI DSS Compliance?

PCI DSS penetration testing is still required for PCI DSS compliance, but compared to v3.2.1, there have been some changes. The specific changes for pentesting are addressed in the DSS 11.4 requirement, which reads:

“External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

PCI DSS 4.0 provides clear guidelines and a defined approach to meeting the penetration testing requirement for PCI DSS compliance, which includes penetration testing procedure guidelines.

PCI Penetration Testing Requirements Infographic

The following infographic summarizes PCI penetration testing requirements and guidance for audit readiness for PCI DSS 4.0. Learn the details and share this with your colleagues in the SOC and on the GRC team. With BreachLock, we can help you and your teams prepare for PCI DSS 4 audit readiness in 2023.

PCI DSS 4.0 Infoghaphics

How to Prepare for PCI DSS 4.0 Audit-Readiness

BreachLock is a Penetration Testing as a Service (PTaaS) provider with extensive experience in PCI penetration testing, offering full-stack penetration testing services. Our services are ideal for preparing your organization for compliance with the PCI DSS 4.0 standard in 2024. BreachLock customers enjoy lowering their TCO by 50% and reaching audit-readiness 50% faster with expedited turnaround times and remediation guidance from our team of PCI DSS experts.

We’ll help you scope your pentest exercise specifically for your organization’s needs for PCI DSS 4.0 compliance. From covering the new requirements for CDE pentesting and vulnerability scanning, BreachLock is ready to help you assess next steps for your transition from PCI DSS 3.2.1 to PCI DSS 4.0.

As a certified, compliant, globally recognized penetration testing leader with highly qualified penetration testers (CREST, OSCP, OSCE, GSNA, CISSP, etc.), giving you the support and guidance you need to meet your compliance and security goals is one of our top priorities with our penetration testing services.

  • Receive audit-ready PCI penetration testing reports in 7-10 business days
  • Access your results and monitor your security posture for 12 months at no additional cost; and
  • Get the 1:1 support you need to remediate vulnerabilities quickly and maintain results until your next audit.

To meet third-party requirements, BreachLock can help you with assessing both your environment and your third-party vendors’ environments for PCI DSS 4.0 compliance. BreachLock’s vendor assessments include the attestation of compliance (AOC) you will need to prove your third-party service providers (TPSP) meet the new requirements in PCI DSS 4.0. Your third-party vendors can call us directly, or we’ll work with you to conduct the required assessments you need for your engagement.

Want to learn how BreachLock can help you prepare for this PCI DSS 4.0 update? Schedule a discovery call today and prepare for PCI DSS compliance with BreachLock.

Penetration Testing

Penetration Testing Service

Cloud Penetration
Testing Services

Network Penetration Testing

Application Penetration

Web Application
Penetration Testing

Social Engineering

Learn more about BreachLock. Read our

FAQ Page