Compliance · PCI DSS v4.0.1

PCI DSS v4.0.1 wants proof, not a snapshot.
So does a real attacker.

PCI DSS v4.0.1 asks for internal and external penetration testing and segmentation testing across your cardholder-data environment. SpartanX supports that program with a continuous adversary that proves exploitability inside and out, and hands you the evidence. It supports your program and complements your QSA; it does not make you compliant on its own.

The requirement

Internal and external testing, plus segmentation, on a defined cadence.

Requirement 11.4 of PCI DSS v4.0.1 calls for a documented penetration-testing methodology and internal and external penetration testing at least once every twelve months and after any significant change. Requirements 11.4.5 and 11.4.6 require testing that segmentation controls actually isolate the cardholder-data environment. Requirement 11.3 adds regular internal and external vulnerability scans. The v4.0.1 requirements are current and in force.

Scope

Anyone that stores, processes, or transmits cardholder data.

PCI DSS applies to merchants and service providers that handle payment card data. The cardholder-data environment, the systems connected to it, and the segmentation meant to keep everything else out are all in scope, which is exactly where an adversary looks first.

How it supports your program

Test the CDE the way an attacker would, continuously.

External and internal
SpartanX tests your external surface, and through NodeX runs the same adversary inside the perimeter, where the cardholder-data environment lives. Learn about NodeX.
Segmentation testing
Proves whether your segmentation actually isolates the CDE, the way an intruder would probe it.
Exploit-validated findings
Every finding comes with a working proof of concept, so nothing rests on a severity score.
Remediate and retest
Findings are prioritized, fixed, and re-attacked to confirm closure, including after the significant changes 11.4 cares about.
Audit-ready evidence
Continuous, dated, PCI-mapped reporting your QSA can work from.
The outcome

Continuous coverage, and evidence that holds up.

Instead of a single annual test that ages the moment it is filed, you get continuous internal and external testing, segmentation proof, and a live evidence trail, so you are examination-ready between assessments, not just the week before one.

Support your PCI DSS v4.0.1 testing program with a continuous adversary.

See how SpartanX proves exploitability across your CDE and hands you the evidence.