Requirement 11: Regularly test security systems and processes

Regularly test security systems and processes

Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

 iStumbler is a great little tool on the mac that is donation ware - it can find a lot of items that are broadcasting signals.

Alternately, inspect each device that is within the card portion of the network and make sure wireless is off.

Note: on AMS cloud servers, all network connections are physical wiring - there are no possible WIFI access points.

Artsman: N/A - no access points
Customer: workstations
11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.   Artsman: N/A - no access points
Customer: workstations
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.   Artsman: N/A - no access points
Customer: workstations
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies

  1. the most recent scan result was a passing scan,
  2. the entity has documented policies and procedures requiring quarterly scanning, and
  3. vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
  Artsman: web sales and database scans
Customer: workstation scans
11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all "high-risk" vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.   Artsman: web sales and database
Customer: workstations
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.

  Artsman: web sales and database
Customer: workstations
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change.

Scans must be performed by qualified personnel.

   Artsman: web sales and database
Customer: workstations
11.3 Implement a methodology for penetration testing that includes the following:
  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.
  Artsman: web sales and database tests
Customer: workstation tests
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
Customer: workstations
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
Customer: workstations
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.   Artsman: web sales and database
Customer: workstations
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.   Artsman: web sales and database
Customer: workstations
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

   Artsman: web sales and database
Customer: workstations
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

   Artsman: web sales and database
Customer: workstations
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution.   Artsman: web sales and database
Customer: workstations
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties   Artsman: web sales and database
Customer: workstations