pentestcostcalculator.com
PCI Security Standards Council · global

PCI DSS 4.0.1 testing: pen test requirements 2026

PCI DSS v4.0.1 (current version, published June 2024; the v4.x future-dated requirements became mandatory 31 March 2025) requires pen testing of the CDE at least every 12 months plus after significant change. Segmentation testing is a separate requirement (every 6 months for service providers, annually otherwise). Use a QSA-aligned testing firm for a defensible compliance trail.

Required
Mandatory for organisations handling payment card data (PCI DSS 11
Region
GLOBAL
Publisher
PCI Security Standards Council

Applies to

  • External and internal pen testing of CDE (Cardholder Data Environment)
  • Segmentation testing

Budget impact

Day count impact

Adds 30-50% to day count for full CDE scope vs equivalent non-PCI test

Rate impact

Specialist QSA-aligned testers typically at upper end of day-rate band

Source

https://www.pcisecuritystandards.org/document_library/?category=pcidss

Verified 2026-06-25.

Other standards
CRESTCHECKCyber Essentials PlusOWASP Testing StandardsNIST SP 800-115