PCI Security Standards Council · global

PCI DSS 4.0 testing: pen test requirements 2026

PCI DSS 4.0 (effective 2024) requires annual pen testing of the CDE plus after significant change. Segmentation testing is a separate annual requirement. Use a QSA-aligned testing firm for defensible compliance trail.

Required

Mandatory for organisations handling payment card data (PCI DSS 11

Region

GLOBAL

Publisher

PCI Security Standards Council

Applies to

External and internal pen testing of CDE (Cardholder Data Environment)
Segmentation testing

Budget impact

Day count impact

Adds 30-50% to day count for full CDE scope vs equivalent non-PCI test

Rate impact

Specialist QSA-aligned testers typically at upper end of day-rate band

Source

↗ https://www.pcisecuritystandards.org/document_library/?category=pcidss

Verified 2026-06-02.

Other standards

CREST CHECK Cyber Essentials Plus OWASP Testing Standards NIST SP 800-115