PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / December 16, 2022

 Implement Policies and Procedures PCI Requirement 11 states, “Regularly test security systems and processes.” Complying with PCI Requirement 11 is critical to ensuring that you’ve adequately secured your systems. For this requirement, we’ve discussed how to test your systems and processes, which includes vulnerability scanning, penetration testing, change-detection, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and…

PCI Requirement 11.5.1 – Implement a Process to Respond to Any Alerts Generated by the Change-Detection Solution

by Randy Bartels / December 16, 2022

 Responding to Alerts PCI Requirement 11.5.1 works in tandem with PCI Requirement 11.5. When your change-detection mechanism gives you an alert, you must have a process in place to respond to that. PCI Requirement 11.5.1 states, “Implement a process to respond to any alerts generated by the change-detection solution.” During the assessment process, your staff will be interviewed to ensure that all alerts are investigated and resolved. Keeping in…

PCI Requirement 11.5 – Deploy a Change-Detection Mechanisms to Alert Personnel to Unauthorized Modification of Critical System Files, Configuration Files, or Content Files

by Randy Bartels / December 16, 2022

 Change-Detection Mechanisms If change-detection mechanisms are not implemented properly, a malicious individual could take advantage and could add, remove, or alter configuration file contents, operating system programs, or application executables. This is why PCI Requirement 11.5 says, “Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.” During…

PCI Requirement 11.4 – Use Intrusion-Detection and/or Intrusion-Prevention Techniques to Detect and/or Prevent Intrusions into the Network

by Randy Bartels / December 16, 2022

 Detecting and Preventing Intrusion Has your organization implemented intrusion-detection and/or intrusion-prevention techniques? PCI Requirement 11.4 requires that organizations implement the following: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment. Alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and…

PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

by Randy Bartels / December 16, 2022

 Segmentation, Scoping, and Penetration Testing Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.” PCI…