This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Here we discuss:
Requirement 11: Regularly test security systems and processes
The system vulnerabilities are continually discovered, which is why system components and custom software must be tested frequently to ensure that security controls continue to reflect a secure environment.
10 challenges and steps to consider
- Unauthorized wireless devices can be implemented in a component of the system to be used as a path to access cardholder data. An inventory of authorized wireless devices can help administrators quickly identify unauthorized devices through a quarterly wireless access point detecting process and proactively minimise CDE disclosure.
- Perform quarterly internal vulnerabilities scans and solve them according to the entity’s vulnerability classification that was defined based on Requirement 6.1.
- Perform quarterly external vulnerability scans. In this case, it must be performed by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
- Perform an external penetration testing at least annually and after any significant infrastructure or application upgrade or modification, for example, an update of the operating system, a subnet added or a new web server into the environment.
- Perform an internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification, for example, an update of the operating system, a subnet added or a new web server into the environment.
- For all case, the vulnerabilities found during penetration testing must be corrected and repeat the test to verify the corrections.
- If the ASV scans, internal vulnerability scans, external penetration tests and internal penetration tests are reported vulnerabilities with a CVSS score of 4.0 or higher, must identify them, correct them and repeat the analysis until all vulnerabilities are corrected.
- If the segmentation network is used to isolate the CDE from other networks, perform penetration tests to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
- Remember that all scans must be performed by qualified personnel.
- Implement IDS / IPS (Intrusion Detection / Intrusion Prevention) tools to compare network traffic with known “signatures” and/or suspicious traffic behaviour that could compromise the security. This tool generates warnings that must be checked before threats can be stopped.
This is one of the requirements that incorporates several technical implementations to control and prevent threats. Do not hesitate to get advice from experts in the field. It will facilitate the way for compliance with PCI DSS.
Need help with PCI DSS implementation? Our QSAs can help out.
Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data
PCI DSS requirement 4: Encryption
PCI DSS requirement 5: Update and Scan
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD
PCI DSS requirement 8: Identify, Authenticate, and Authorize
PCI DSS requirement 9: Restrict physical access to Cardholder data
PCI DSS requirement 10: Track and monitor all access to network resources and cardholder data