PCI Security Standards Council · global
PCI DSS 4.0.1 testing: pen test requirements 2026
PCI DSS v4.0.1 (current version, published June 2024; the v4.x future-dated requirements became mandatory 31 March 2025) requires pen testing of the CDE at least every 12 months plus after significant change. Segmentation testing is a separate requirement (every 6 months for service providers, annually otherwise). Use a QSA-aligned testing firm for a defensible compliance trail.
Required
Mandatory for organisations handling payment card data (PCI DSS 11
Region
GLOBAL
Publisher
PCI Security Standards Council
Applies to
- External and internal pen testing of CDE (Cardholder Data Environment)
- Segmentation testing
Budget impact
Day count impact
Adds 30-50% to day count for full CDE scope vs equivalent non-PCI test
Rate impact
Specialist QSA-aligned testers typically at upper end of day-rate band
Source
↗ https://www.pcisecuritystandards.org/document_library/?category=pcidssVerified 2026-06-25.
Other standards