PCI Requirement 11 – Regularly Test Security Systems & Processes

by Randy Bartels / June 5th, 2018

Regular Testing

PCI Requirement 11 is about managing the security of your environment. It states, “Regularly test security systems and processes.” From everything we’ve learned in the PCI DSS so far, we know that it’s required us to:

  • Harden our networks
  • Harden our systems
  • Protect data in storage
  • Protect data in transmission
  • Protect systems against malware
  • Ensure that system and applications are developed securely
  • Restrict access to cardholder data based on business need to know
  • Implement identity management procedures
  • Protect cardholder data from physical harm
  • Track and monitor all access to resources and cardholder data

Now, in PCI Requirement 11, we want to regularly test security systems and processes to ensure that everything is working as it’s supposed to. This testing should be of wireless access points, incident response procedures, vulnerability scans, penetration testing, intrusion-detection, change-detection, and policies and procedures. Regular testing ensures that new vulnerabilities are caught by the right people and measures are taken to protect against new threats. Recognizing that you have an ever-changing environment will help you see the value in PCI Requirement 11.

PCI Requirement 11 is about managing the security of your environment. If you think about this from the way that the PCI DSS flows, PCI Requirement 1 is about hardened networks; PCI Requirement 2 is that we’ve hardened our systems; PCI Requirement 3 is that we’ve protected our data in storage; and PCI Requirement 4 is that we’ve protected the data in transmission. For example, we’re applying antivirus to protect from malware, we’re patching our servers, we have change control, we’re developing software securely, we have authorization and authentication, we have good passwords, we’re logging everything, and we have physical controls around our environment. When we get to PCI Requirement 11, it is about testing the efficacy of our overall security program and making sure that it is working as we have defined it.