PCI Requirement 11

PCI Requirement 11

Regularly test security systems and processes

How do you ensure that the security of your system is actually working? PCI Requirement 11 focuses on a critical aspect of PCI compliance: testing.This testing should be of wireless access points, incident response procedures, vulnerability scans, penetration testing, intrusion-detection, change-detection, and policies and procedures. Regular testing ensures that new vulnerabilities are caught by the right people and measures are taken to protect against new threats.

This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 11. Click on a video below to get started.

PCI Requirement 11 - Regularly Test Security Systems & Processes

PCI Requirement 11 – Regularly Test Security Systems & Processes

PCI Requirement 11 is about managing the security of your environment. It states, “Regularly test security systems and processes.”
June 5, 2018/by Jeff Wilder
PCI Requirement 11.1 – Implement Processes to Test for the Presence of Wireless Access Points, and Detect and Identify All Authorized and Unauthorized Wireless Access Points on a Quarterly Basis

PCI Requirement 11.1 – Implement Processes to Test for the Presence of Wireless Access Points, and Detect and Identify All Authorized and Unauthorized Wireless Access Points on a Quarterly Basis

Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data.
June 5, 2018/by Jenna Kersten
PCI Requirement 11.1.2 – Implement Incident Response Procedures in the Event Unauthorized Wireless Access Points are Detected

PCI Requirement 11.1.2 – Implement Incident Response Procedures in the Event Unauthorized Wireless Access Points are Detected

What would your organization do if an unauthorized wireless device was detected in your environment?
June 5, 2018/by Jeff Wilder
PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network 

PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network 

PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant change in the network.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.2.1 – Perform Quarterly Internal Vulnerability Scans

PCI Requirement 11.2.1 – Perform Quarterly Internal Vulnerability Scans

PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.”
June 5, 2018/by Jeff Wilder
PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor

To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a vulnerability scan.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed?
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3.1 – Perform External Penetration Testing at Least Annually

PCI Requirement 11.3.1 – Perform External Penetration Testing at Least Annually

PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3.2 – Perform Internal Penetration Testing at Least Annually

PCI Requirement 11.3.2 – Perform Internal Penetration Testing at Least Annually

PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3.4 – If Segmentation is Used to Isolate the CDE from Other Networks, Perform Penetration Tests at Least Annually and After Any Changes to Segmentation to Ensure Methods are Operational and Effective 

PCI Requirement 11.3.4 – If Segmentation is Used to Isolate the CDE from Other Networks, Perform Penetration Tests at Least Annually and After Any Changes to Segmentation to Ensure Methods are Operational and Effective 

Does your organization use segmentation to isolate your cardholder data environment from other networks? Penetration testing can be a tool to ensure that your segmentation controls are working.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.4 – Use Intrusion-Detection and/or Intrusion-Prevention Techniques to Detect and/or Prevent Intrusions into the Network

PCI Requirement 11.4 – Use Intrusion-Detection and/or Intrusion-Prevention Techniques to Detect and/or Prevent Intrusions into the Network

Has your organization implemented intrusion-detection and/or intrusion-prevention techniques?
June 5, 2018/by Jeff Wilder
PCI Requirement 11.5 – Deploy a Change-Detection Mechanisms to Alert Personnel to Unauthorized Modification of Critical System Files, Configuration Files, or Content Files

PCI Requirement 11.5 – Deploy a Change-Detection Mechanisms to Alert Personnel to Unauthorized Modification of Critical System Files, Configuration Files, or Content Files

If change-detection mechanisms are not implemented properly, a malicious individual could take advantage and could add, remove, or alter configuration file contents, operating system programs, or application executables.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.5.1 – Implement a Process to Respond to Any Alerts Generated by the Change-Detection Solution

PCI Requirement 11.5.1 – Implement a Process to Respond to Any Alerts Generated by the Change-Detection Solution

PCI Requirement 11.5.1 works in tandem with PCI Requirement 11.5. When your change-detection mechanism gives you an alert, you must have a process in place to respond to that.
June 5, 2018/by Jeff Wilder
PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

PCI Requirement 11 states, “Regularly test security systems and processes.” Complying with PCI Requirement 11 is critical to ensuring that you’ve adequately secured your systems.
June 5, 2018/by Jeff Wilder