Blog

PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

by Randy Bartels / December 16, 2022

What is Penetration Testing? They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed? PCI Requirement 11.3 outlines the qualities of an effective penetration testing methodology, which include: Based on industry-accepted penetration testing approaches Includes coverage for the entire cardholder data environment perimeter and critical systems Includes testing from both inside and outside the network Includes testing…

PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

by Randy Bartels / December 16, 2022

Significant Changes in Your Cardholder Data Environment PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a vulnerability scan. A significant change could be something like new system component installations, changes in network topology, firewall rule modifications, or product upgrades, but what constitutes a significant change depends on the configuration of your environment.…

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor

by Randy Bartels / December 16, 2022

What is an ASV? To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI…

PCI Requirement 11.2.1 – Perform Quarterly Internal Vulnerability Scans

by Randy Bartels / December 16, 2022

Vulnerabilities and Your Risk Ranking System PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.” Remember the risk ranking system you created for PCI Requirement 6.1? This comes back into play for PCI Requirement 11.2.1. This risk ranking system gives you the ability to identify, prioritize, and address high…

PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network

by Randy Bartels / December 16, 2022

Running Network Vulnerability Scans PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant change in the network. It’s crucial that vulnerability scans are performed by qualified personnel. Vulnerability scans are a combination of automated or manual tools and techniques ran against external and internal network devices and servers and are designed to expose potential vulnerabilities that could…

PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor

PCI Requirement 11.2.1 – Perform Quarterly Internal Vulnerability Scans

PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.