- Contact Us
This is the eleventh blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:
Requirement 11 talks about the need to “test” your cardholder data environment. This requirement covers wireless scanning, vulnerability scanning and penetration testing. All of these manners of testing are to confirm that there are no “holes”, as in vulnerabilities (aka weaknesses in very simple term), or “holes”, as in open networks to and from your CDE. Both vulnerability scanning and penetration testing have specific timing involved from this requirement. Vulnerability scans on public facing IP addresses must be done quarterly by an Approved Scanning Vendor (ASV)…this blog will not be big enough to dive much deeper. Penetration testing is to be conducted at least annually or after a significant change. The difference between the two is a question we receive very often. To speak at a high-level, vulnerability scans identify potential holes/weaknesses and penetration testing is the attempt of someone to exploit those holes/weaknesses. Being one of the very robust requirements within the PCI world it adds requirements for Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), as well as file integrity monitoring (FIM) or change detection. This requirement usually becomes one of the more daunting and challenging areas to comply with as there are many moving parts.
Companies that require PCI Compliance face some familiar challenges within requirement 11:
Compass IT Compliance is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance, such as the ones outlined above for Requirement 11. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!