Requirement 11.4 mandates internal and external penetration testing annually - PCI pentests must cover the entire CDE, validate segmentation, and test OWASP Top 10 - Common failures include inadequate segmentation, default credentials, and weak application security - PCI DSS 4.0 introduced customize