Compliance-driven testing, 2026
Penetration Testing Cost for PCI DSS v4 (2026)
PCI DSS v4.0.1 (mandatory since 31 March 2025) is the most prescriptive compliance framework on penetration testing requirements. Annual external plus internal pentest costs $15,000-$45,000. Segmentation testing adds $3,000-$7,000. Change-driven follow-up testing adds another $5,000-$15,000 per significant change. This page maps Requirement 11.4 to actual scope and cost in 2026.
Annual external + internal
$15K - $45K
Mandatory baseline
Segmentation addon
+$3K - $7K
If segmentation in scope
Change-driven testing
+$5K - $15K each
Per significant change
PCI DSS v4 Requirement 11.4 mapped to scope
PCI DSS v4.0.1 Requirement 11.4 has five sub-requirements, each driving specific testing scope and cost.
| Sub-requirement | What it requires | Typical cost |
|---|---|---|
| 11.4.1 | Pentest methodology defined and documented | Internal effort, no external cost |
| 11.4.2 | External pentest at least annually and after significant changes | $10K-$25K annually |
| 11.4.3 | Internal pentest at least annually and after significant changes | $15K-$30K annually |
| 11.4.4 | Exploitable vulnerabilities and weaknesses corrected per risk severity | Embedded in retest fee |
| 11.4.5 | Segmentation testing if segmentation in use, at least annually | +$3K-$7K annually |
| 11.4.6 | Service provider pentests at least every 6 months on segmentation controls | Add 100% to 11.4.5 cost |
| 11.4.7 | Multi-tenant service providers facilitate customer pentest | Internal effort, no external cost |
Cardholder Data Environment scope
The single most important question for PCI pentest cost is what scope the Cardholder Data Environment (CDE) actually covers. The CDE is everything that stores, processes, or transmits cardholder data, plus any system that could affect the security of the CDE. Scope sprawl is the most common cost driver and the most common compliance failure mode.
Reputable PCI pentest firms will start the engagement with a CDE scope validation step, comparing your declared CDE against actual network traffic, log analysis, and configuration review. This step frequently identifies systems that should be in CDE but are not declared (most often: cloud-hosted payment-processing components, third-party JavaScript libraries on payment pages, internal admin tools that touch cardholder data).
Scope validation is usually 1-2 days of consultant time, well worth doing because mid-engagement scope expansion is much more expensive than upfront validation.
Segmentation testing in detail
Segmentation testing is the most cost-relevant PCI-specific testing component. If your CDE scope is reduced through segmentation controls (which most modern PCI deployments do, because the alternative is testing your entire network as CDE), Requirement 11.4.5 mandates that you test those segmentation controls annually. Service providers that rely on segmentation for customer separation must test every six months under Requirement 11.4.6.
The segmentation test itself involves: enumerating every documented allowed pathway between non-CDE networks and the CDE, attempting to use undocumented pathways from each non-CDE network zone, verifying that segmentation enforcement points (firewalls, ACLs, VPC routing) actually block the expected traffic, and producing evidence that no unauthorised path exists.
Across our buyer corpus, roughly 35% of first-time segmentation tests find at least one previously unknown path into the CDE. The test cost ($3,000-$7,000) is almost always paid back by avoiding a QSA finding that would expand scope, plus the genuine risk reduction from closing the discovered path.
Sample annual PCI pentest budgets
Small online merchant (Level 4)
External + internal CDE pentest, no segmentation
$15,000 - $22,000/year
Mid-market merchant (Level 2)
External + internal + segmentation testing
$22,000 - $35,000/year
Large merchant (Level 1)
Above + multi-site CDE + change-driven retests
$45,000 - $80,000/year
Service provider (Level 1)
External + internal + 6-monthly segmentation
$50,000 - $90,000/year
Multi-tenant SaaS handling cards
Above + customer-facilitated pentest support
$60,000 - $120,000/year
PCI-specific report-format requirements
PCI pentest reports have specific structural requirements that QSAs check against. The report should include: explicit scope statement that maps to the CDE, methodology used (PCI expects industry-recognised standards like NIST 800-115 or OWASP), all findings with CVSS scores, evidence of how each finding was identified, remediation status for each finding, and retest results for any high or critical findings.
The retest piece is particularly important. PCI requires that exploitable vulnerabilities found in the pentest be corrected and the correction verified through retesting. The retest evidence must be in the final report; a pentest report that only documents findings without retest evidence is incomplete from the QSA's perspective.
Most boutique firms include retesting in the engagement quote and produce a final report after retesting. Some Big 4 firms charge separately for retest. Always clarify whether retest is included before signing the SoW.
Frequently asked questions
How much does pentesting for PCI DSS cost in 2026?v
Penetration testing for PCI DSS v4.0.1 in 2026 costs $15,000-$45,000 per year for the mandatory annual external plus internal testing of the Cardholder Data Environment. Segmentation testing adds $3,000-$7,000 per cycle. Significant changes during the year trigger additional testing requirements that can add another $5,000-$15,000 each.
What does PCI DSS v4.0.1 actually require for pentesting?v
PCI DSS v4.0.1 Requirement 11.4 mandates external penetration testing at least annually and after significant infrastructure or application changes (Req 11.4.2), internal penetration testing on the same cadence (Req 11.4.3), and segmentation testing if segmentation controls are used to reduce CDE scope (Req 11.4.5). All testing must cover the entire CDE plus connected systems and follow industry-recognised methodology.
Who can perform PCI DSS pentests?v
PCI DSS does not require specific tester certifications, but the testing must be performed by a qualified internal resource or qualified external third party. External testing must be performed by an independent party (not the same person who configured the system). PCI Security Standards Council does not maintain a certified pentest tester list, but CREST, OSCP, GPEN, and QSA-firm credentials are industry standard.
What is segmentation testing and why does PCI require it?v
If you use network segmentation to reduce the scope of your Cardholder Data Environment (separating CDE from non-CDE networks), PCI DSS v4.0.1 Requirement 11.4.5 requires you to test that the segmentation controls actually work. The test demonstrates that no path exists from non-CDE networks into the CDE other than the documented allowed pathways. Without segmentation testing, your scope-reduction claim is not validated.
What counts as a significant change requiring follow-up testing?v
PCI DSS v4.0.1 defines significant change broadly. Common triggers include: new infrastructure added to the CDE, removal of network segmentation between CDE and non-CDE, major application releases that change authentication or session management, infrastructure migrations (data centre or cloud provider changes), and consolidation or split of merchant/acquirer relationships. When in doubt, ask your QSA before deciding the change does not require follow-up testing.
All Compliance
PCI, SOC2, ISO, HIPAA, FedRAMP
SOC 2 Pentest
Compliance scope
Network Pentest
Underlying scope cost
Cost Calculator
Estimate your scope