PCI DSS Requirement 11 of 12

choose sub requirement:

Requirement 11.1

Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

Testing Procedure

11.1.a
Examine policies and procedures to verify processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.

11.1.b
Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

WLAN cards inserted into system components
Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)
Wireless devices attached to a network port or network device.

11.1.c
If wireless scanning is utilized, examine output from recent wireless scans to verify that:

Authorized and unauthorized wireless access points are identified, and
The scan is performed at least quarterly for all system components and facilities.

11.1.d
If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.

Guidance for 11.1 through 11.1.2

Implementation and/or exploitation of wireless technology within a network are some of the most common paths for malicious users to gain access to the network and cardholder data. If a wireless device or network is installed without a company’s knowledge, it can allow an attacker to easily and “invisibly” enter the network. Unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or network device, such as a switch or router. Any such unauthorized device could result in an unauthorized access point into the environment.

Knowing which wireless devices are authorized can help administrators quickly identify non-authorized wireless devices, and responding to the identification of unauthorized wireless access points helps to proactively minimize the exposure of CDE to malicious individuals.

Due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices, these processes must be performed even when a policy exists prohibiting the use of wireless technology.

The size and complexity of a particular environment will dictate the appropriate tools and processes to be used to provide sufficient assurance that a rogue wireless access point has not been installed in the environment.

For example: In the case of a single standalone retail kiosk in a shopping mall, where all communication components are contained within tamper-resistant and tamper-evident casings, performing a detailed physical inspection of the kiosk itself may be sufficient to provide assurance that a rogue wireless access point has not been attached or installed. However, in an environment with multiple nodes (such as in a large retail store, call center, server room or data center), detailed physical inspection is difficult. In this case, multiple methods may be combined to meet the requirement, such as performing physical system inspections in conjunction with the results of a wireless analyzer.

11.1

11.1.1

11.1.2

Requirement 11.1.1

Maintain an inventory of authorized wireless access points including a documented business justification.

Testing Procedure

11.1.1
Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.

Guidance for 11.1 through 11.1.2

11.1

11.1.1

11.1.2

Requirement 11.1.2

Implement incident response procedures in the event unauthorized wireless access points are detected.

Testing Procedure

11.1.2.a
Examine the organization’s incident response plan (Requirement 12.10) to verify it defines and requires a response in the event that an unauthorized wireless access point is detected.

11.1.2.b
Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found.

Guidance for 11.1 through 11.1.2

Requirement 11.2

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.

Testing Procedure

11.2
Examine scan reports and supporting documentation to verify that internal and external vulnerability scans are performed as follows:

Guidance

A vulnerability scan is a combination of automated or manual tools, techniques, and/or methods run against external and internal network devices and servers, designed to expose potential vulnerabilities that could be found and exploited by malicious individuals.

There are three types of vulnerability scanning required for PCI DSS:

Internal quarterly vulnerability scanning by qualified personnel (use of a PCI SSC Approved Scanning Vendor (ASV) is not required)
External quarterly vulnerability scanning, which must be performed by an ASV
Internal and external scanning as needed after significant changes

Once these weaknesses are identified, the entity corrects them and repeats the scan until all vulnerabilities have been corrected.

Identifying and addressing vulnerabilities in a timely manner reduces the likelihood of a vulnerability being exploited and potential compromise of a system component or cardholder data.

Requirement 11.2.1

Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.

Testing Procedure

11.2.1.a
Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period.

11.2.1.b
Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.

11.2.1.c
Interview personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

Guidance

11.2.1.a and 11.2.1.b
An established process for identifying vulnerabilities on internal systems requires that vulnerability scans be conducted quarterly. Vulnerabilities posing the greatest risk to the environment (for example, ranked “High” per Requirement 6.1) should be resolved with the highest priority.

11.2.1.c
Internal vulnerability scans can be performed by qualified, internal staff that are reasonably independent of the system component(s) being scanned (for example, a firewall administrator should not be responsible for scanning the firewall), or an entity may choose to have internal vulnerability scans performed by a firm specializing in vulnerability scanning.

Requirement 11.2.2

Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.

Testing Procedure

11.2.2.a
Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.

11.2.2.b
Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures).

11.2.2.c
Review the scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor (ASV).

Guidance

As external networks are at greater risk of compromise, quarterly external vulnerability scanning must be performed by a PCI SSC Approved Scanning Vendor (ASV).

Requirement 11.2.3

Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.

Testing Procedure

11.2.3.a
Inspect and correlate change control documentation and scan reports to verify that system components subject to any significant change were scanned.

11.2.3.b
Review scan reports and verify that the scan process includes rescans until:

For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.

11.2.3.c
Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

Guidance

The determination of what constitutes a significant change is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. All system components affected by the change will need to be scanned.

Requirement 11.3

Implement a methodology for penetration testing that includes the following:

Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Includes testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.

Note: This update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. Prior to this date, PCI DSS v2.0 requirements for penetration testing must be followed until version 3 is in place.

Testing Procedure

11.3
Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following:

Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.

Guidance

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.

A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps.

Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment.

Penetration testing techniques will be different for different organizations, and the type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment.

Requirement 11.3.1

Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

Testing Procedure

11.3.1.a
Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows:

Per the defined methodology
At least annually
After any significant changes to the environment.

11.3.1.b
Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

Guidance for 11.3.1 through 11.3.3

Penetration testing conducted on a regular basis and after significant changes to the environment is a proactive security measure that helps minimize potential access to the CDE by malicious individuals.

The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.

Requirement 11.3.2

Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

Testing Procedure

11.3.2.a
Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed as follows.

Per the defined methodology
At least annually
After any significant changes to the environment.

11.3.2.b
Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

Guidance for 11.3.1 through 11.3.3

Requirement 11.3.3

Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.

Testing Procedure

11.3.3
Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.

Guidance for 11.3.1 through 11.3.3

Requirement 11.3.4

If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Testing Procedure

11.3.4.a
Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

11.3.4.b
Examine the results from the most recent penetration test to verify that:

Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
The penetration testing covers all segmentation controls/methods in use.
The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Guidance

Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.

11.4

Requirement 11.4

Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

Testing Procedure

11.4.a
Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:

At the perimeter of the cardholder data environment
At critical points in the cardholder data environment.

11.4.b
Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.

11.4.c
Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.

Guidance

Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped.

11.5

11.5.1

Requirement 11.5

Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

Testing Procedure

11.5.a
Verify the use of a change-detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.

Examples of files that should be monitored:

System executables
Application executables
Configuration and parameter files
Centrally stored, historical or archived, log and audit files
Additional critical files determined by entity (for example, through risk assessment or other means).

11.5.b
Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.

Guidance for 11.5 and 11.5.1

Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

11.5

11.5.1

Requirement 11.5.1

Implement a process to respond to any alerts generated by the change-detection solution.

Testing Procedure

11.5.1
Interview personnel to verify that all alerts are investigated and resolved.

Guidance for 11.5 and 11.5.1

11.6

Requirement 11.6

Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

Testing Procedure

11.6
Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are:

Documented,
In use, and
Known to all affected parties.

Guidance

Personnel need to be aware of and following security policies and operational procedures for security monitoring and testing on a continuous basis.

Goal: Regularly Monitor and Test Networks

Requirement 11.0

Regularly test security systems and processes

Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.