PCI-DSS 4.0 Req 11.4 requires that internal and external penetration testing is performed at least once every 12 months; Req 11.4.1 requires that testing uses industry-accepted methodologies. An annual penetration test is the only way to verify that your security controls work under real-world attack conditions — automated scanners find known CVEs, but pentesters find business logic flaws, authentication bypasses, and chained exploits that tools miss. ISO 27001:2022 A.8.8 and NIST CA-8 both require periodic security testing. A test report older than 12 months is a direct PCI audit finding.
Low because penetration testing is a verification activity rather than a preventive control — its absence does not directly expose data, but it means you have no assurance that other controls are working as intended.
Engage a third-party penetration tester or a qualified internal team to test the full CDE scope: payment APIs, admin panel, network segmentation, and application logic. Document the results in docs/penetration-tests.md with findings count, severity, and remediation status. Per Req 11.4.1, test against PTES, OWASP Testing Guide, or NIST SP 800-115 methodology.
## Last Test: 2026-01-15
**Vendor:** [Firm Name] | **Scope:** Full CDE + payment APIs
**Critical:** 0 | **High:** 1 (REMEDIATED) | **Medium:** 3 (2 remediated, 1 in progress)
**Next Scheduled:** 2027-01-15
For early-stage projects, a recognized bug bounty program (HackerOne, Bugcrowd) with public scope covering payment endpoints can supplement or precede a formal annual pentest. Reference the test report from docs/pci-compliance.md.
ID: ecommerce-pci.monitoring-compliance.penetration-testing
Severity: low
What to look for: Search for penetration testing reports or documentation (look for "pentest", "penetration", "security-test" in docs/ directory). For each report found, check the test date and calculate months since last test (must be under 12 months). Count the number of findings categories documented (critical, high, medium, low). Check for remediation status tracking (e.g., "REMEDIATED", "IN PROGRESS").
Pass criteria: At least 1 penetration testing report or documentation file exists. The report date is within the last 12 months (no more than 365 days from current date). Report includes at least 3 of: scope, findings count, remediation status, next scheduled test date. Report: "Last test: [date], X months ago, Y findings documented."
Fail criteria: No penetration testing evidence found (0 report files), or last test was more than 12 months ago, or report exists but lacks findings count or remediation tracking.
Skip (N/A) when: Early-stage project with no deployable infrastructure (no hosting config, no deployed endpoints, development-only with no external exposure).
Detail on fail: Specify the gap. Example: "0 penetration test reports found in docs/ directory." or "docs/pentest-2024-08.md found but test date is 18 months ago (August 2024). Exceeds 12-month maximum."
Remediation: Schedule and conduct penetration testing. Create docs/penetration-tests.md:
# Penetration Testing Schedule
## Testing Schedule
- **Frequency**: Annual, with ad-hoc testing after major changes
- **Scope**: Full infrastructure including CDE, payment APIs, admin panel
- **Type**: External and internal testing
## Last Test
- **Date**: 2025-12-15
- **Vendor**: Bug Bounty Firm / Third-party Pentester
- **Report**: `docs/pentest-2025-12-15.pdf`
- **Critical Issues**: 0
- **High Issues**: 2 (both remediated)
- **Medium Issues**: 5 (4 remediated, 1 in progress)
## Next Scheduled Test
- **Date**: 2026-12-15 (12 months from last test)
## Remediation Tracking
- Issue #1: SQL injection in payment webhook (REMEDIATED)
- Issue #2: Weak TLS cipher suite (REMEDIATED)
- Issue #3: Default admin credentials in staging (REMEDIATED)
Engage a third-party penetration testing firm or participate in a bug bounty program:
# Security.txt for Bug Reports
# .well-known/security.txt
Contact: security@company.com
Expires: 2026-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://company.com/.well-known/security.txt