PCI DSS (Payment Card Industry Data Security Standard) v4.0 is here!

Version 3.2.1 ended on March 31, 2024. In addition, many best-practice controls became mandatory on March 31, 2025. Moreover, PCI DSS v4.0.1 added clarifications in June 2024. As a result, compliance standards are higher than ever.

Recent threat data shows why this matters. For example, Verizon’s 2025 Data Breach Investigations Report (DBIR) analyzed 22,052 incidents and 12,195 confirmed breaches. Credential theft was the top entry point. Furthermore, vulnerability exploitation caused about 20% of initial access. Ransomware appeared in 44% of breaches, hitting smaller businesses hardest. Therefore, these trends prove the need for proactive, ongoing security.

Why PCI DSS v4.0 elevates VAPT

PCI DSS v4.0 raises the bar for vulnerability scanning and penetration testing (VAPT). In addition, it introduces stricter timelines and clearer expectations.

Vulnerability scanning: External scans must occur every quarter, no more than three months apart. They must use an Approved Scanning Vendor (ASV). Internal scans are also required. Moreover, if systems allow credentials, authenticated scans are strongly recommended (requirement 11.3.1.2). Scans must also follow major changes. As a result, these steps give deeper visibility into missing patches and misconfigurations.

Penetration testing: Requirement 11.4 requires a documented, tailored method for all tests. Organizations must test internal and external systems at least once a year and after major changes to the Cardholder Data Environment (CDE). Furthermore, PCI DSS clarifies that penetration testing is more than exploiting scan results. It needs skilled, manual work to find chained weaknesses and confirm control strength.

However, keep in mind that requirements can vary by environment, Self-Assessment Questionnaire (SAQ) type, or service provider role.

OpenText™ VAPT: Designed for compliance and resilience

OpenText’s Vulnerability Assessment and Penetration Testing service helps you meet v4.0 rules and improve security. In addition, our engagements include:

• Quarterly external and internal scans with formal attestation. Authenticated internal scans where possible.
• Tailored penetration tests for internal and external systems using a seven-step model (Discovery → Reporting).
• Readiness checks and remediation guidance with clear reports that speed up audit readiness.

Moreover, we design VAPT scopes to match your business size, risk profile, and compliance objectives. Our approach ensures that testing is comprehensive and relevant, covering perimeter systems, internal networks, web and mobile applications, APIs, wireless environments, and any other components that could provide a pathway to the Cardholder Data Environment (CDE). In addition, we adapt testing depth based on your operational complexity, so you receive actionable insights without unnecessary disruption.

OpenText delivers PCI DSS attestation services through a trusted partnership with an Approved Scanning Vendor (ASV). This collaboration ensures that quarterly external scans meet PCI DSS requirements and include formal attestation, giving your organization confidence in compliance.

Managed security advantages: Continuous improvement, not one-and-done

PCI DSS v4.0 expects ongoing security: quarterly scans, post-change checks, and repeat tests. Therefore, OpenText offers VAPT as part of Managed Security Services. This combines expert testing, modern tools, and continuous monitoring. As a result, it helps you stay compliant between audits and lowers your team’s workload.

Benefits of pairing VAPT with managed security include:

• Regular cadence aligned to PCI DSS timelines: quarterly ASV scans, internal scans, and scheduled tests after changes.
• Fast remediation: Findings link directly to patching and hardening, supporting v4.0’s risk-based approach.
• Clear evidence and attestation for banks, assessors, and SAQs or Reports on Compliance (ROCs).

Why act now?

For SMBs and mid-sized firms, the risk is real. The 2025 DBIR shows attackers use stolen credentials and unpatched flaws for quick wins. In addition, third-party risks are growing. VAPT confirms segmentation, tests controls under stress, and finds chained weaknesses that scans miss—before a breach harms your brand or triggers fines.

Moreover, PCI DSS v4.0’s new rules—like authenticated scans and documented test methods—mean assessors expect proof. Therefore, a structured VAPT program with managed security gives you a repeatable, defensible path to compliance and stronger resilience.

Ready for PCI DSS v4.0? We can help

Contact our Cybersecurity Services Team to schedule a readiness check and VAPT engagement tailored to your business and budget. We’ll help you meet PCI DSS v4.0 and build a stronger payment environment.

Want to go beyond compliance? Meeting PCI DSS is essential, but true resilience means anticipating threats before they strike. Proactive vulnerability management helps you identify weaknesses early, reduce risk, and strengthen defenses. Learn more in our blog: Rethinking Vulnerability Management: Playing Offense to Strengthen Security.

Ready to simplify compliance and security? Explore how OpenText™ Managed Security Services can provide continuous protection and peace of mind.

The post Strengthening PCI compliance with OpenText VAPT appeared first on OpenText Blogs.