Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
11.1 | Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. |
iStumbler is a great little tool on the mac that is donation ware - it can find a lot of items that are broadcasting signals.
Alternately, inspect each device that is within the card portion of the network and make sure wireless is off. Note: on AMS cloud servers, all network connections are physical wiring - there are no possible WIFI access points. |
Artsman: N/A - no access points
Customer: workstations |
11.1.1 | Maintain an inventory of authorized wireless access points including a documented business justification. |
Artsman: N/A - no access points
Customer: workstations |
|
11.1.2 | Implement incident response procedures in the event unauthorized wireless access points are detected. |
Artsman: N/A - no access points
Customer: workstations |
|
11.2 | Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies
|
Artsman: web sales and database scans
Customer: workstation scans |
|
11.2.1 | Perform quarterly internal vulnerability scans and rescans as needed, until all "high-risk" vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. |
Artsman: web sales and database
Customer: workstations |
|
11.2.2 | Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc. |
Artsman: web sales and database
Customer: workstations |
|
11.2.3 | Perform internal and external scans, and rescans as needed, after any significant change.
Scans must be performed by qualified personnel. |
Artsman: web sales and database
Customer: workstations |
|
11.3 | Implement a methodology for penetration testing that includes the following:
|
Artsman: web sales and database tests
Customer: workstation tests |
|
11.3.1 | Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). |
Artsman: web sales and database
Customer: workstations |
|
11.3.2 | Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). |
Artsman: web sales and database
Customer: workstations |
|
11.3.3 | Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. |
Artsman: web sales and database
Customer: workstations |
|
11.3.4 | If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. |
Artsman: web sales and database
Customer: workstations |
|
11.4 | Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. |
Artsman: web sales and database
Customer: workstations |
|
11.5 | Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). |
Artsman: web sales and database
Customer: workstations |
|
11.5.1 | Implement a process to respond to any alerts generated by the change- detection solution. |
Artsman: web sales and database
Customer: workstations |
|
11.6 | Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties |
Artsman: web sales and database
Customer: workstations |