PCI Requirement 11.1 – Implement Processes to Test for the Presence of Wireless Access Points, and Detect and Identify All Authorized and Unauthorized Wireless Access Points on a Quarterly Basis

by Sarah Harvey / December 16, 2022

 Testing Wireless Access Points Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data. This is due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices. This is why PCI Requirement…

PCI Requirement 11 – Regularly Test Security Systems & Processes

by Randy Bartels / December 16, 2022

 Regular Testing PCI Requirement 11 is about managing the security of your environment. It states, “Regularly test security systems and processes.” From everything we’ve learned in the PCI DSS so far, we know that it’s required us to: Harden our networks Harden our systems Protect data in storage Protect data in transmission Protect systems against malware Ensure that system and applications are developed securely Restrict access to cardholder data…

PCI Requirement 10.9 – Ensure Security Policies and Procedures for Monitoring All Access to Network Resources and Cardholder Data are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / December 19, 2022

 Implementing PCI Requirement 10 PCI Requirement 10 states, “Track and monitor all access to network resources and cardholder data.” Complying with PCI Requirement 10 is critical to ensuring that you know who had what access to cardholder data. For this requirement, we’ve discussed aspects of tracking and monitoring access to network resources and cardholder data, such as how to implement audit trails, what should be documented in logs, which…

PCI Requirement 10.8.1 – Additional Requirement for Service Providers Only: Respond to Failures of Any Critical Security Controls in a Timely Manner

by Randy Bartels / December 19, 2022

 Responding Failures So, you’ve been alerted of failures of critical security controls…what do you do next? PCI Requirement 10.8.1 requires that you respond to failures of any critical security controls in a timely manner. If not, attacks can take the opportunity to infect your systems. Your organization’s policies and procedures should outline the expected response to failures, which includes: How to restore security functions How to identify and document…

PCI Requirement 10.8 – Additional Requirement for Service Providers Only: Implement a Process for the Timely Detection and Reporting of Failures of Critical Control Systems

by Randy Bartels / December 19, 2022

 Monitoring Failures Without formal processes in place to detect and alert when critical security controls have failed, failures could go undetected for extended periods of time and provide malicious individuals with opportunities to compromise your systems and obtain sensitive data from the cardholder data environment. This is why PCI Requirement 10.8 requires that service providers implement a process for the timely detection and reporting of failures of critical security…