PCI DSS 11.4.4: Correcting Penetration Test Findings
Penetration testing identifies your security weaknesses—but only remediation eliminates them. PCI DSS 11.4.4 requires you to fix exploitable vulnerabilities discovered during testing and prove those fixes work through repeat testing. This control turns vulnerability data into actual risk reduction.
What this means
When penetration testing uncovers exploitable vulnerabilities—weaknesses an attacker could actually leverage—you must address them promptly. Once remediated, you need to conduct follow-up testing to confirm the fixes are effective and the vulnerabilities no longer exist. This closed-loop approach prevents attackers from exploiting known gaps.
How to comply
- 1.Document all exploitable vulnerabilities identified in penetration test reports with severity levels and affected systems
- 2.Establish remediation timelines based on vulnerability severity (critical findings warrant faster fixes)
- 3.Assign ownership and implement technical controls or patches to eliminate each vulnerability
- 4.Conduct repeat penetration testing on the same scope to verify vulnerabilities are actually corrected
- 5.Maintain evidence of both the original findings and the successful remediation test results
- 6.Track and close remediation tickets through completion and verification
Evidence auditors look for
- Initial penetration test report listing exploitable vulnerabilities with CVSS scores
- Remediation tracking log showing vulnerability, fix applied, and completion date
- Follow-up penetration test report confirming vulnerabilities are no longer exploitable
- System change logs documenting patches, configuration changes, or architectural fixes
- Management sign-off on remediation completion and re-test approval
- Comparison report showing before-and-after vulnerability status
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability tracking and remediation workflows, linking penetration test findings directly to remediation tasks, re-test scheduling, and compliance evidence—eliminating manual spreadsheets and closing remediation loops faster.
See how GRCWatch handles this control automatically
Start free trial