Requirement 11: Regularly test security systems and processes.
External vulnerability scans must be performed by an Approved Scanning Vendor (ASV) to verify that all high-risk vulnerabilities are resolved at least quarterly. All external IP addresses that correspond to in-scope systems for inbound or outbound traffic must be included in your external vulnerability scans. Scanning services provided by Server Scan are ASV-certified and qualify to help you meet this requirement. If you find this guide helpful, please consider using our scanning services.
Internal vulnerability scans must also be performed quarterly, but, unlike external vulnerability scans, you are not required to engage an ASV to perform your internal vulnerability scans. Instead, you can use “qualified” internal personnel to perform your internal scans. Both commercial and open-source tools such as OpenVAS and Nessus are available to help perform these scans. All identified vulnerabilities should be ranked (such as critical, high, medium, low, informational) and all “high-risk” vulnerabilities must be resolved. Any results presumed to be false positives should be verified and documented as such.
Penetration testing must also be performed annually from both external and internal perspectives according to the specifications in requirement 11.3. If you use segmentation to isolate your CDE from your other networks, segmentation tests must be performed to verify that your firewall(s) are effectively isolating your CDE from other networks. Service providers are required to perform segmentation tests every six months. Merchants are required to perform segmentation tests annually. Penetration and segmentation tests can be performed internally if you have qualified personnel with organizational independence. Most organizations choose to have penetration tests performed by third parties. Penetration tests and segmentation tests performed by Server Scan are designed to meet the methodology and reporting requirements of the PCI DSS. If you are interested in getting a penetration test, please email our support team and we will be happy to discuss your environment and provide you a free quote.
External vulnerability scans, internal vulnerability scans, penetration tests and segmentation tests should all be repeated after any significant change such as a firewall replacement or significant software upgrades.
There must be a process to verify that no rogue access points have been added to the CDE. It should be repeated at least quarterly. To meet this requirement, most organizations perform wireless scans and compare the detected access points against an inventory of authorized access points to identify any rogue access points that may have appeared. Some enterprise-grade wireless access point solutions offer automated wireless scanning that can be used to help you meet this requirement. Your Incident Response Plan should include a process to follow in the event that an unauthorized wireless access point is detected.
Intrusion detection systems or intrusion prevention systems (IDS/IPS) must be used to monitor traffic at the perimeter and at critical points of the CDE as a method of detecting attacks as they occur. Detected events must alert personnel who should investigate and respond in a timely manner.
A change detection mechanism (File-integrity monitoring or FIM) must be deployed to monitor all critical system files, application files, and content files. FIM must detect and alert personnel of unauthorized changes. File integrity comparisons must be performed at least weekly, and alerts should be investigated in a timely manner.
Go back to Requirement 10 - Logging Access.
Read more about Selecting a PCI DSS Compliant Firewall.