PCI & Credit Cards
We show your QSA exactly where the CDE breaks under a real attack, then prove the fix holds.
PCI Pentests That Prove Your CDE Holds, Not Just That It Exists on a Diagram
We test your CDE, payment apps, APIs, and segmentation the way an attacker would, then hand your QSA PCI DSS v4.0.1 proof.
PCI DSS v4.0.1 Requirement 11.4
PCI DSS v4.0.1 Requirement 11.4 calls for a defined penetration testing methodology and regular internal and external testing, with exploitable vulnerabilities corrected and retested. Where you use segmentation to reduce scope, those controls have to be tested to confirm out-of-scope systems stay isolated from the cardholder data environment.
|
PCI area |
Description |
How Raxis supports it |
|
11.4.1 |
Maintain a penetration testing methodology |
Documented rules of engagement, scope, approach, tools, exclusions, and evidence. |
|
11.4.2 |
Internal penetration testing |
Manual exploitation across in-scope internal CDE networks and systems. |
|
11.4.3 |
External penetration testing |
Internet-facing testing against CDE-connected assets, exposed services, and attack paths. |
|
11.4.4 |
Remediation and retesting |
Findings include fix guidance, and retesting verifies corrective actions. |
|
11.4.5 |
Segmentation testing where segmentation is used to reduce scope |
Attempts to bypass segmentation and validate CDE isolation from out-of-scope networks. |
|
11.4.6 |
Service provider segmentation testing every six months |
Six-month segmentation testing for service providers, validating CDE isolation. |
|
11.4.7 |
Multi-tenant service provider support for customer external testing |
Support for customer external penetration testing under 11.4.3 and 11.4.4. |
Requirement 11.4 Does Not Stand Alone
Requirement 11.4 covers the penetration testing detailed in the table above. We test with the full picture in mind so your evidence lines up.
How Often PCI Pen Testing Is Required
The cadence trips up more teams than any other part of 11.4. Here is the short version.
PCI DSS expects you to keep pen test results and remediation records for at least 12 months. Every Raxis engagement lives in Raxis One, so your history and retest evidence stay in one place when the QSA asks.
The Problem with Most PCI Pentests
Most PCI pentests stop at automated output and never answer the question that matters: could an attacker reach cardholder data? We test the paths attackers actually use. App flaws, API weaknesses, identity issues, misconfigurations, segmentation gaps, and lateral movement.
What We Find in Cardholder Data Environments
These are the findings that show up across real PCI engagements. Most started as something a scan flagged and nobody validated.
PCI Testing Backed by Raxis Trust
Raxis PCI penetration testing is performed by U.S.-based offensive security professionals and delivered through secure Raxis One workflows. For details on our SOC 2 Type II status, data handling, insurance, internal controls, and team credentials, visit the Raxis Trust Center.
Why Raxis for PCI Penetration Testing
The tester on your scope call is the one breaking into the CDE. And the one retesting your fix.
What a PCI Pentest Costs
PCI pen testing runs from around $8,000 for a tightly scoped CDE up to $40,000 or more for large, multi-segment, multi-app environments. The cheapest quote is rarely the one a QSA respects.
We scope every engagement to your actual environment and give you a fixed quote before anything starts. No surprise change orders mid-test.
“We’d already spent well into six figures with a well-known firm trying to find how we were losing store credit card data, and they couldn’t. Raxis found it for less than we’d paid them.“
