What is penetration testing?

Penetration testing is a authorized security assessment that simulates cyberattacks on systems, networks, and applications to identify vulnerabilities before malicious actors exploit them.

Why is penetration testing important?

Penetration testing identifies security weaknesses, ensures regulatory compliance, validates security controls, and helps organizations prioritize vulnerability remediation efforts.

How long does penetration testing take?

Penetration testing typically takes 1-5 business days depending on scope; small application assessments may take 2-3 days while comprehensive infrastructure testing can take 2-3 weeks.

What happens after penetration testing?

After testing, organizations receive a detailed report with findings, risk ratings, and remediation recommendations; vendors often provide remediation support and retesting after fixes are implemented.

PCI DSS penetration testing for e-commerce: 4.0 requirements explained.

Last updated: June 4, 2026

PCI DSS 4.0 became fully enforceable March 2025. Most e-commerce merchants are still operating under PCI DSS 3.2.1 habits and getting flagged in their first 4.0 audit cycle. Penetration testing requirements changed meaningfully between 3.2.1 and 4.0, and the most common gap is misunderstanding what segmentation testing actually means.

What changed in PCI DSS 4.0 for pentesting.

PCI DSS 4.0 Requirement 11.4 split into more specific sub-requirements. The big changes: (1) 11.4.5 explicitly requires segmentation testing every 6 months for service providers and annually for merchants. (2) 11.4.6 specifies that exploitable vulnerabilities found in pentests must be corrected and the corrections verified, which is the formal re-test requirement. (3) 11.4.7 requires pentests to cover the entire CDE perimeter from both inside and outside.

Merchants doing only external pentest are now non-compliant. Internal pentest of the CDE is now explicit.

Scoping a PCI DSS pentest for an e-commerce merchant.

Scope requires four things minimum: (1) External pentest of internet-facing components within and adjacent to the CDE. (2) Internal pentest from a pivot point inside the merchant network. (3) Segmentation testing validating that out-of-scope networks cannot reach the CDE. (4) Application-layer pentest of the e-commerce platform itself, including the payment flow.

Tokenization or hosted payment field implementations do not eliminate scope. Even a Stripe or Braintree integration means the merchant is in scope for the systems that redirect, embed, or interact with the payment fields.

Segmentation testing is what most merchants miss.

Segmentation testing is not optional. The PCI DSS 4.0 requirement is to verify that the CDE is properly isolated from the rest of the merchant network. The pentester attempts to reach in-scope systems from out-of-scope systems using documented and undocumented paths.

Common segmentation failures we see: (1) Shared Active Directory domain between CDE and corporate. (2) Jump boxes that allow lateral movement back to CDE. (3) Backup systems that traverse network boundaries. (4) Monitoring tools (Splunk, Datadog) with overly permissive network ACLs. (5) VPN tunnels between offices that route through CDE-adjacent subnets.

If segmentation testing was not done in your last pentest, the audit will flag it.

ASV scan is not pentest.

Many merchants conflate quarterly ASV (Approved Scanning Vendor) scans with pentest. They are different artifacts and PCI DSS 4.0 requires both. ASV scans are automated external vulnerability scans run by an approved vendor. Pentest is manual, methodology-driven testing with exploitation and re-test.

QSAs (Qualified Security Assessors) will reject pentest evidence that looks like an ASV scan report. The pentest report must include narrative, methodology citation, finding exploitation details, and re-test evidence. ASV scan reports do not include any of this.

Pentest cost and timing for e-commerce.

PCI DSS 4.0 e-commerce pentest engagements run $18K-$45K depending on architecture. Multi-region e-commerce, separate point-of-sale system integration, or multiple payment processors add $3K-$8K each. Segmentation testing adds $5K-$10K typically billed as part of the engagement.

QSA audits are usually scheduled annually. Pentest evidence must be current within the past 12 months of the audit. Plan pentest 90 days before the QSA engagement so remediation has time to complete.