PCI DSS Requirement 11: What Is It and How to Comply?
PCI DSS Requirement 11 explains the guidelines for testing systems and networks for vulnerabilities. As vulnerabilities can allow attackers to access systems and cause harm with minimal effort, it’s best to prevent these issues arising by continuously testing system components, processes, and software to ensure your security system is working effectively.
Penetration testing allows your business to stay one step ahead of an attacker. By remaining diligent with your penetration testing techniques, you can mimic the actions they would take and prevent access.
PCI DSS Requirement 11.1: All processes for regular testing are defined and understood.
PCI DSS Requirement 11.1 emphasises the importance of creating and maintaining policies for your business to adhere to. Each process must be consistently monitored and updated as necessary, and all parties involved must understand their duties.
The sub-sub-requirements of this section include:
- PCI DSS Requirement 11.1.1: All security policies and procedures are documented, timely, in use, and all necessary parties are aware of these.
- PCI DSS Requirement 11.1.2: The roles and responsibilities of each user is documented, assigned, and understood.
PCI DSS Requirement 11.2: Wireless access points are clearly identified and monitored, and unauthorised wireless access points are addressed.
Malicious users will often exploit wireless access points to gain access to vulnerable data. A wireless access point can be easily hidden within the system, so it’s important to maintain an inventory of these to allow administrators to promptly respond to any suspicious behaviour.
The sub-sub-sections of this requirement include:
- PCI DSS Requirement 11.2.1: All wireless access points are managed appropriately. This includes testing for the presence of wireless access points and identifying these, whether authorised or not.
- PCI DSS Requirement 11.2.2: An inventory of the authorised wireless access points is maintained and documented.
PCI DSS Requirement 11.3: All vulnerabilities are regularly identified, prioritised, and actioned.
All vulnerabilities, no matter how critical, can provide a potential avenue for malicious parties to attack secured systems. Therefore, identifying and addressing these vulnerabilities promptly can reduce the likelihood of exploitation and potential system compromise.
The sub-sub-sections of this requirement include:
- PCI DSS Requirement 11.3.1: Internal vulnerability scans must be performed at least once every three months.
- PCI DSS Requirement 11.3.1.1: All other applicable vulnerabilities are addressed based on the risk level outlined in the risk assessment and rescans are conducted when needed.
- PCI DSS Requirement 11.3.1.2: Internal vulnerability scans are performed via authenticated scanning.
- PCI DSS Requirement 11.3.1.3: Internal vulnerability scans are performed after any significant change.
- PCI DSS Requirement 11.3.2.1: External vulnerability scans are performed after any significant change.
Requirement 11.4: External and internal penetration testing must be regularly performed to correct exploitable vulnerabilities and security weaknesses.
Penetration testing is necessary for businesses to challenge the strength of their security systems to get one step ahead of any attackers. This will allow you to discover and resolve vulnerabilities internally before a hacker can.
The sub-sub-sections of this requirement include:
- PCI DSS Requirement 11.4.1: A penetration testing procedure is defined, documented, and implemented.
- PCI DSS Requirement 11.4.2: Internal penetration testing must be performed at least every 12 months.
- PCI DSS Requirement 11.4.3: External penetration testing must be performed.
- PCI DSS Requirement 11.4.4: Exploitable vulnerabilities and security weaknesses found during penetration testing must be addressed.
- PCI DSS Requirement 11.4.5: If segmentation is used to separate cardholder data from other networks, penetration tests must be performed on segmentation controls.
- PCI DSS Requirement 11.4.6: For service providers: If segmentation is used to separate cardholder data from other networks, penetration tests must also be performed on segmentation controls.
PCI DSS Requirement 11.5: Network intrusions and any unexpected file changes are detected and addressed.
All businesses should employ intrusion-detection and intrusion-prevention techniques (IDS/IPS) to compare all network traffic to the ‘signatures’ of known compromise types and techniques, to either alert the administrators or stop the attempt immediately. This prevents the attacks from going unnoticed, which increases the severity of the breach.
The sub-sub-sections of this requirement include:
- PCI DSS Requirement 11.5.1: Intrusion-detection and intrusion-prevention techniques must be used to prevent access to the network.
- PCI DSS Requirement 11.5.2: A change-detection mechanism must be used.
PCI DSS Requirement 11.6: Unauthorised payment page changes are detected and addressed.
Any unauthorised changes to payment pages may be the result of a skimming attack. A skimming attack involves attackers compromising script elements to ‘skim’ the information being input by users. Businesses should check and review any violations to the content security policy (CSP) regularly to prevent and catch these attacks.
Meet PCI DSS Requirement 11 with Hicomply
Although PCI DSS compliance offers fantastic benefits for your business, it can be quite a difficult process to stay on top of – especially for those who are new to the certification.
Hicomply offers a full-fledged ISMS solution that streamlines the process by keeping all your documents organised and in one place – giving you compliance as you work! Contact us today for a demo.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.