PCI DSS Penetration Testing

Requirement: A penetration testing methodology is defined, documented, and implemented by the entity, and includes industry-accepted approaches (e.g., NIST SP 800-115, OSSTMM, OWASP).

How Matproof covers it: Matproof's scan methodology aligns with OWASP Testing Guide v4 and NIST SP 800-115 — exported as a PDF methodology document alongside every report.

Requirement: Internal penetration testing is performed at least once every 12 months and after any significant infrastructure or application upgrade or change.

How Matproof covers it: Matproof runs authenticated internal pentests across the CDE and connected systems — continuously, not annually — with a full report available on demand.

Requirement: External penetration testing is performed at least once every 12 months and after any significant infrastructure or application upgrade or change.

How Matproof covers it: Black-box external pentests target internet-facing CDE surfaces at your chosen cadence. Continuous is the default.

Requirement: Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected and testing is repeated to verify the corrections.

How Matproof covers it: Matproof re-tests fixed findings automatically, producing the verification artefact Requirement 11.4.4 specifies. No manual retest coordination required.

Requirement: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls to verify they are operational and effective.

How Matproof covers it: Segmentation testing verifies network controls actually restrict traffic as designed — authenticated scans attempt lateral movement from non-CDE to CDE.

Requirement: Additional requirement for service providers only: segmentation controls are tested at least every 6 months.

How Matproof covers it: Scheduled semi-annual segmentation tests with signed attestation — specifically formatted for QSA review.

Is penetration testing required for PCI DSS?

Yes. PCI DSS 4.0 Requirement 11.4 explicitly mandates penetration testing for all merchants and service providers. Internal and external tests are required annually; service providers must test segmentation controls semi-annually.

Does PCI DSS 4.0 accept AI-automated pentesting?

PCI DSS 4.0 does not prescribe a specific execution method — it requires industry-accepted methodology (NIST SP 800-115, OSSTMM, OWASP) and qualified personnel reviewing results. Matproof's methodology aligns with those standards, and every report is reviewed by a CREST-certified lead before delivery. QSAs have accepted Matproof reports across all major card brands.

What's changed in PCI DSS 4.0 vs 3.2.1?

4.0 adds explicit methodology documentation requirements (11.4.1), strengthens segmentation testing (11.4.5 and 11.4.6), and introduces a 'customised approach' that allows continuous testing as an alternative to point-in-time. Matproof is ideally suited for the customised approach.

How does continuous PCI DSS testing compare to annual testing?

Annual testing satisfies the minimum. Continuous testing satisfies the intent — Requirement 11.4.4 requires re-testing after fixes, and 12.10.x requires rapid detection of new exposures. Continuous scanning catches drift that annual testing misses. Matproof delivers both the formal annual report and the ongoing evidence stream.