PCI DSS 11.4.7: Supporting Customer Penetration Testing for Multi-Tenant Environments
If you operate a multi-tenant service provider environment, PCI DSS 11.4.7 requires you to actively support your customers' external penetration testing efforts. This control ensures that merchants and service users can conduct independent security assessments on systems processing their cardholder data.
What this means
Multi-tenant service providers must establish processes and provide access that enable customers to conduct external penetration testing against systems, applications, and infrastructure that handle their payment card data. Rather than restricting testing, you must facilitate it—providing necessary network access, test accounts, coordination windows, and technical assistance. This allows customers to validate that their data environment meets security standards.
How to comply
- 1.Document a formal penetration testing support policy outlining procedures, notification timelines, and approval workflows for customer-initiated tests
- 2.Establish a testing coordination process that includes scheduling, scope definition, and communication channels between your team and testing vendors
- 3.Provide test account credentials, network access, and staging environments that accurately reflect production architecture without exposing live cardholder data
- 4.Define scope boundaries clearly to ensure tests remain within authorized systems and do not impact other tenants or production services
- 5.Assign a point of contact to support testing activities, answer technical questions, and monitor for unexpected system behavior during assessments
- 6.Review and document results of penetration tests conducted by customers, including identified vulnerabilities and remediation actions
- 7.Update support procedures based on lessons learned from customer testing activities and evolving threat landscapes
Evidence auditors look for
- Penetration testing support policy document with approval workflows and tenant isolation protections
- Testing request logs showing customer requests, approval dates, and testing windows
- Test environment documentation with network diagrams, access specifications, and isolation controls
- Communications with penetration testing vendors confirming scope, timeline, and resource requirements
- Test account provisioning records with creation, access levels, and deprovisioning dates
- Penetration testing reports generated by or for customers with findings and remediation tracking
- Incident or issue logs from testing periods documenting coordination and problem resolution
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates penetration testing coordination workflows, stores and tracks all testing requests and approvals in one compliance audit trail, and generates evidence reports that directly satisfy PCI DSS 11.4.7 documentation requirements for your examiners.
See how GRCWatch handles this control automatically
Start free trial