PCI DSS Penetration Testing vs. Compliance: Know the Gap

Written By Michael Sanders

Every year, thousands of organizations pass their PCI audit. And every year, many of those same organizations get breached.

PCI DSS penetration testing is required by the standard. But the way most companies approach it, as a checkbox to satisfy their QSA, leaves real attack paths untested and real risk unaddressed.

That gap is where breaches happen.

What PCI DSS v4.0 Actually Requires from Penetration Testing

PCI DSS v4.0 Requirement 11.4 mandates penetration testing against both the external and internal perimeter of the cardholder data environment (CDE). Requirement 11.4.5 adds active segmentation testing: you have to prove your network segmentation actually works, not just document it.

Those requirements exist because the PCI Security Standards Council knows that controls on paper don't equal controls that hold under pressure.

What the standard doesn't mandate: an adversary-driven test that replicates how a real attacker would chain vulnerabilities, move laterally, and reach your CDE. At minimum, PCI DSS requires a structured test that confirms the existence of controls. Whether those controls stop a motivated attacker is a different question entirely.

The Compliance Checkbox Problem with PCI DSS Penetration Testing

When a company scopes its PCI DSS penetration test to the minimum required by the ROC, it's optimizing for the wrong outcome.

The typical approach:

  • Scope is limited to the CDE and its direct connections

  • The test is run once annually, right before the audit

  • Results are submitted to the QSA without independent validation

  • Findings are remediated just enough to pass, not fixed comprehensively

This isn't fraud. It's rational behavior in a system that rewards compliance over security.

Attackers don't read your ROC. They probe your full environment, find the path of least resistance, and move through it. The segmentation test confirmed your VLANs were isolated but didn't check whether cloud workloads feeding card data into the CDE are hardened. The perimeter test confirmed your edge held but didn't verify whether service accounts can be escalated to Domain Admin.

Passing the audit is not proof your defenses work.

What Adversary-Driven Penetration Testing Looks Like Instead

Adversary-driven penetration testing starts from a different premise: assume the attacker already has a foothold somewhere in your environment. Now what?

Instead of checking whether specific controls are present, it asks: what is the realistic path to your cardholder data?

That means:

  • Full-scope enumeration: not just CDE-adjacent systems, but anything that could provide lateral movement into scope

  • Active exploitation: testing whether vulnerabilities can actually be chained into a meaningful attack, not just catalogued

  • Realistic attacker simulation: using the same TTPs a threat actor targeting your industry would use

  • Segmentation validation under adversarial conditions: not just confirming VLANs exist, but testing them the way an attacker would probe them

Our post on PCI DSS v4.0 Requirement 1: Why Network Segmentation Testing Is the Foundation of CDE Protection covers the technical specifics of how Requirement 11.4.5 segmentation testing should work and why documented isolation rarely holds the way organizations expect.

The output isn't just a finding list for the QSA. It's a clear picture of your real risk: what an attacker could actually reach, how far they could get, and what it would take to stop them.

Why PCI DSS v4.0 Makes This Harder to Ignore

Three v4.0 changes matter here:

Requirement 11.4.1 specifies penetration testing must be performed by a qualified internal resource or a qualified external third party. The independence requirement is explicit, and the QSA is not the same entity as the pentester in any defensible compliance interpretation.

Requirement 11.4.4 requires that exploitable vulnerabilities and security weaknesses found during testing be corrected, with additional penetration testing performed after corrections to confirm remediation. A finding list that gets partially patched before the ROC is filed doesn't satisfy this.

Requirement 11.4.7 requires multi-tenant service providers to support their customers' penetration testing activities. If you're a service provider, your scope is wider than you may think.

These requirements push organizations toward independent, adversary-driven testing rather than a QSA-adjacent checkbox.

Our Position on the QSA Relationship

Exploit Technology works alongside QSAs. We don't replace them. The QSA's job is to validate compliance: they assess whether controls meet the standard. That's a different job than breaking those controls.

Independent penetration testing and QSA assessment are complementary, not redundant.

A QSA benefits from having a rigorous independent pentest before the audit. It surfaces issues before they become audit findings and provides evidence that the organization's controls were tested under adversarial conditions, not just documented.

What doesn't work: using the QSA-aligned pentest scope as your entire security posture validation.

The organizations that get real value from their pentest budget get two things from a single properly scoped engagement: a PCI DSS-compliant test that satisfies Requirement 11.4, and an adversary-driven assessment that shows them whether their defenses actually hold.

4 Questions to Ask Before Your Next PCI DSS Pentest

1. Is the scope limited to the CDE, or does it include the realistic attack path to the CDE? If your pentesters aren't testing the systems adjacent to and feeding into your CDE, they're not seeing what attackers see.

2. Is active exploitation included, or is this a vulnerability scan with a pentest label? Automated scanning identifies potential vulnerabilities. Penetration testing confirms whether they're exploitable in your specific environment. These produce different outputs and answer different questions.

3. Does the testing methodology include adversary simulation, or is it checklist-based? Ask for the testing framework: PTES, MITRE ATT&CK, custom methodology. A framework built around real attacker behavior produces different results than one built around compliance requirements.

4. How is segmentation tested? "We confirmed VLAN isolation" is not segmentation testing. Ask what specific techniques were used to test it.

FAQ

What's the difference between a compliance pentest and an adversary-driven pentest? A compliance pentest is scoped to satisfy a regulatory requirement: it confirms controls are present. An adversary-driven pentest asks whether an attacker can reach your most sensitive systems. Both are useful. Only one tells you whether you're actually secure.

Does PCI DSS v4.0 require adversary-driven testing? Not in those exact terms, but customized approach options explicitly require organizations to demonstrate their controls achieve the security objective, not just that they exist. That standard is much closer to adversary-driven testing than most organizations realize.

Can the same firm do both the QSA assessment and the penetration test? Most qualified assessors prefer separation. The QSA validates; the pentester breaks things. The independence of the pentest is part of what makes it credible evidence for the QSA.

How often should PCI DSS penetration testing be performed? PCI DSS requires at least annually and after significant infrastructure or application changes. Organizations preparing for v4.0 deadlines or those that have undergone architectural changes should test more frequently.

Passing your PCI audit and actually being secure aren't the same thing. They never were.

Schedule a consultation with Exploit Technology to see what adversary-driven PCI DSS penetration testing looks like in practice, and what your current scope is missing.

Michael Sanders
Next

PCI DSS v4.0 Requirement 11.4: Why Penetration Testing Just Got Harder to Fake