PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor

by Randy Bartels / December 16, 2022

 What is an ASV? To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI…

PCI Requirement 11.2.1 – Perform Quarterly Internal Vulnerability Scans

by Randy Bartels / December 16, 2022

 Vulnerabilities and Your Risk Ranking System PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.” Remember the risk ranking system you created for PCI Requirement 6.1? This comes back into play for PCI Requirement 11.2.1. This risk ranking system gives you the ability to identify, prioritize, and address high…

PCI Requirement 11.2 – Run Internal and External Vulnerability Scans at Least Quarterly and After Any Significant Change in the Network 

by Randy Bartels / December 16, 2022

 Running Network Vulnerability Scans PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant change in the network. It’s crucial that vulnerability scans are performed by qualified personnel. Vulnerability scans are a combination of automated or manual tools and techniques ran against external and internal network devices and servers and are designed to expose potential vulnerabilities that could…

PCI Requirement 11.1.2 – Implement Incident Response Procedures in the Event Unauthorized Wireless Access Points are Detected

by Randy Bartels / December 16, 2022

 Incident Response Procedures What would your organization do if an unauthorized wireless device was detected in your environment? PCI Requirement 11.1.2 requires that you implement incident response procedures so that in the event of some type of rogue wireless device, your employees know exactly how to respond. The size and complexity of your environment will determine what your incident response procedures should be. To verify compliance with PCI Requirement…

PCI Requirement 11.1 – Implement Processes to Test for the Presence of Wireless Access Points, and Detect and Identify All Authorized and Unauthorized Wireless Access Points on a Quarterly Basis

by Sarah Harvey / December 16, 2022

 Testing Wireless Access Points Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data. This is due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices. This is why PCI Requirement…