PCI Readiness Series: Requirement 11

PCI Requirement 11: Validating Your Security Program

This session in our PCI Readiness series focuses on Requirement 11. This requirement requires regular monitoring and testing of security systems and processes, which validates an organization’s risk/threat management program. Jeff Wilder, Director of PCI Services, leads this session.

Before diving into the requirements, we always recommend you think about what your scope is. The scope of the Cardholder Data Environment (CDE) determines the extent to which all controls must be in place. The scope includes all people, processes, and technologies that store, process, or transmit cardholder data and all system components connected to the CDE. If in-scope, all controls apply; if not in-scope, there is no concern to PCI. Errors in scoping can lead to serious consequences.

The purpose of Requirement 11 is to validate your risk/threat management program and assess if it’s functioning correctly. To successfully validate your system, scans should validate your risk identification and risk ranking program. Internal scan results should be used to address risk through your risk management program. External scans should be addressed based on CVSS scores.

The sub-requirements of Requirement 11 include:

PCI Requirement 11.1 – You are required to identify rogue wireless devices that may have been placed in your environment, at least quarterly. You must keep a list of what is authorized so you can define what isn’t authorized. Physical inspection is the best way to meet this objective.

PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.

PCI Requirement 11.3 – You must perform a penetration test at least annually and after any time a significant change is made. It must be performed by a qualified individual, cover internal and external, cover the application and network layers, validate if the segmentation is effective, and keep the results of the test and remediation for your audit.

PCI Requirement 11.4 – Install an IPS ISD at the perimeter and at critical locations within the CDE. It needs to be configured and maintained according to the manufacturer standards. It can also be host-based IPS IDS.

PCI Requirement 11.5 – Install a File Integrity Monitoring (FIM) Solution, which needs to monitor critical files and needs to run analysis at least weekly and follow-up on any expectations.

Listen to the full webinar to learn about the details of Requirement 11 and hear the Q&A portion.