PCI Requirement 11 - Testing, Testing, 1, 2, 3!

This is the eleventh blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:  

PCI Requirement 1 - Defending the Wall

PCI Requirement 2 - Change Your Defaults!

PCI Requirement 3 - Don't Store Cardholder Data!

PCI Requirement 4 - Hide in Plain Sight!

PCI Requirement 5 - Update and Scan

PCI Requirement 6 - Patches and Scanning and Coding, Oh My!!

PCI Requirement 7 - Thou Shall Not Pass!

PCI Requirement 8 - Identify, Authenticate, and Authorize

PCI Requirement 9 - Lock the Doors and Don't Forget the Windows Too!

PCI Requirement 10 - Big Brother is Watching!

PCI Requirement 11 - Regularly Test Security Systems and Processes

Requirement 11 talks about the need to “test” your cardholder data environment. This requirement covers wireless scanning, vulnerability scanning and penetration testing. All of these manners of testing are to confirm that there are no “holes”, as in vulnerabilities (aka weaknesses in very simple term), or “holes”, as in open networks to and from your CDE. Both vulnerability scanning and penetration testing have specific timing involved from this requirement. Vulnerability scans on public facing IP addresses must be done quarterly by an Approved Scanning Vendor (ASV)…this blog will not be big enough to dive much deeper. Penetration testing is to be conducted at least annually or after a significant change. The difference between the two is a question we receive very often. To speak at a high-level, vulnerability scans identify potential holes/weaknesses and penetration testing is the attempt of someone to exploit those holes/weaknesses. Being one of the very robust requirements within the PCI world it adds requirements for Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), as well as file integrity monitoring (FIM) or change detection. This requirement usually becomes one of the more daunting and challenging areas to comply with as there are many moving parts.  

Companies that require PCI Compliance face some familiar challenges within requirement 11:

1. Tools - Investing in the tools and resources need to complete the scans and penetration tests and file integrity monitoring is always difficult for small to mid-sized businesses with small IT staff.
2. Knowledge - A clear understanding of the difference between the required actions needed within the requirement around vulnerability scans and penetration tests. The technique and tools for penetration testing is becoming more common but it still requires a broader skill set and methodical approach to conducting as well as documenting.  
3. Time - With vulnerability management comes more work for the IT group on remediating those finds from the scans. Again, for a smaller, time strapped team in IT, that can add to the pile and must be effectively managed and addressed in a timely manner.
4. Notifications - By implementing IDS/IPS and FIM there are many more alert emails or notifications that can start to overwhelm a smaller group.

Compass IT Compliance is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.

These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance, such as the ones outlined above for Requirement 11. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!