Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

Interview: PCI DSS 4.0 Expert Breakdown

This executive brief features an expert discussion focusing on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing.

Watch Bishop Fox’s CISO Christie Terrill, Adam Bush, Managing Director at Schellman, and Zach Fasel, Managing Partner at Urbane Security for a discussion on how PCI DSS 4.0 is impacting offensive security practices, including penetration testing and segmentation testing.

With the new requirements fully in effect as of March 31, 2025, this session delivers practical insight for organizations navigating compliance and adapting their testing strategies accordingly.

Topics Covered

Offensive Security Requirements in PCI DSS 4.0

  1. Overview of offensive security expectations in PCI DSS 4.0
  2. Clarification on internal, external, and application-layer penetration testing
  3. Differences between standard penetration tests and more advanced offensive security approaches

Segmentation Testing Requirements

  1. Evolution of segmentation testing requirements, especially in modern cloud and hybrid environments
  2. Validation of logical segmentation, network segmentation, and trust boundaries
  3. Implications for organizations using AWS, Azure, GCP, SaaS platforms, and on-prem infrastructure

Vulnerability Management and Remediation

  1. Expanded requirements to remediate all vulnerabilities, including low and medium severity
  2. How penetration test results must be integrated into the organization’s vulnerability management program
  3. The importance of remediating findings on a defined schedule, regardless of how they are discovered

Newly Effective Requirements as of March 31, 2025

  1. Service providers must now conduct segmentation testing twice per year in multi-tenant environments
  2. External-facing web applications must use a web application firewall or equivalent dynamic application security solution
  3. Clarification on the need to validate customer isolation in shared environments
  4. Script management and injection protections for hosted payment pages are now in scope for many organizations

Penetration Testing Methodology

  1. Organizations are required to define their own penetration testing methodology
  2. Leveraging a third-party tester’s methodology is acceptable if the organization adopts and formalizes it
  3. Methodologies should align with frameworks such as OWASP Top 10, NIST SP 800-115, or PTES
  4. Requirements include documenting testing cadence, testing vectors (internal, external, trusted, untrusted), and scoping segmentation tests

Summary

PCI DSS 4.0 introduces more prescriptive guidance and closes gaps that previously allowed organizations to meet minimum compliance without strong security practices. Offensive security testing under PCI DSS now requires more comprehensive validation of all potential attack paths and integration of those findings into broader vulnerability management efforts.

Whether dealing with internal or external penetration testing, cloud segmentation, or validating the scope of cardholder data environments, organizations are expected to demonstrate clear intent, consistent execution, and measurable remediation efforts.

Christie Terrill

About the author, Christie Terrill

Chief Information Security Officer

Christie Terrill is the Chief Information Security Officer (CISO) of Bishop Fox, with more than 20 years of experience in security and technology services. She oversees the company’s security strategy and program, and has played an integral part in developing the company’s operational strategy while simultaneously ensuring the greatest value for clients. A 15-year Bishop Fox veteran, Christie most recently drove the rigorous, multi-year process of completing certifications for Bishop Fox’s ISO/IEC 27001 Type 2 and SOC 2 Type 2 Security Trust Services Criteria. Having joined Bishop Fox as a consultant, she quickly ascended to partner and established the company's enterprise security consulting practice, as well as serving in the sales organization.

More by Christie

Extend Your Knowledge

Check out these related resources.

Black and purple background with white and teal letters. Contributor headshot photo on left side in black and white with teal background.
Industry

Feb 14, 2024

Enabling Proper PCI Testing with External Penetration Tests

By Derek Rush

Headshot of speaker Derek Rush with title text "Penetration Testing: Navigating PCI DSS Compliance"
Virtual Session

Penetration Testing: Navigating PCI DSS Compliance

Join our webcast with Derek Rush, Managing Senior Consultant II, as we explore achieving PCI DSS compliance using targeted penetration testing. Discover vital strategies for securing payment environments against cyber threats through tests on applications, networks, and cloud services.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.