The Payment Card Industry Data Security Standard (PCI DSS) supports networks, systems, and other payment card processing equipment in order to reduce credit card fraud. This vital regulation has 12 main provisions that must be adhered to not only to stay compliant, but to build and maintain a strong security posture that protects sensitive financial data.
Requirement 11 is of particular importance, stating that organizations must regularly test security systems and processes. Through this testing, organizations can learn if they’re effectively meeting the other requirements and get insight on how to make improvements. So what exactly does this vital provision entail? Let’s take an in depth look at the details of requirement 11, and find out why a comprehensive pen testing tool like Core Impact can help you adhere to it.
PCI DSS Requirement 11.1
Implement processes to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. Maintain an inventory of authorized wireless access points and implement incident response procedures in the event unauthorized wireless access points are detected.
Core Impact has the ability to detect and inventory all wireless access points within range, as well as any devices connected to these access points. Devices “beaconing” (powered on, but not connected and looking for an access point) can also be identified. Users can then compare the list of identified access points to the authorized list, and determine if there are any unapproved access points running.
PCI DSS Requirement 11.2
Run internal and external vulnerability scans at least quarterly or after any significant change in the network. include rescans as needed until all “high” vulnerabilities are resolved, and must be performed by qualified personnel.
Core Impact can automatically validate both internal and external vulnerabilities found during a scan. Using the “Vulnerability Scanner Validator,” Core Impact can automatically take the results from a vulnerability scan and test the vulnerabilities directly to confirm that they are present in the target.
Additionally, Core Impact can validate efforts made to patch these vulnerabilities. With the “Remediation Validator,” Core Impact can retest a list of targets to ensure that remediation efforts were successful, then produce a report that will highlight the changes from the original test.
11.2.2 Quarterly external vulnerability scans must be performed via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
Both internal and external scans can be imported into Core Impact and correlated, and the “Remediation Validation” test can be run against the results. All critical vulnerabilities can be retested once remediation is complete.
PCI DSS Requirement 11.3
Implement a methodology for penetration testing that includes external and internal penetration testing.
Core Impact provides a complete, intuitive, and repeatable methodology for penetration testing through its “Rapid Penetration Test” (or RPT) wizards. Core Impact offers comprehensive testing across network, web application, and client-side/social engineering vectors. RPTs are also available when these vectors interrelate, as well as for wireless/WiFi networks and mobile devices.
Meeting Every PCI DSS Requirement
With Core Impact’s automations, vulnerability scan integrations, and dynamic reporting, organizations can efficiently and effectively complete necessary tests for requirement 11. But what about the other requirements? Though PCI DSS can seem daunting and time consuming, many parts of this regulation can also be streamlined using tools, like using identity governance and access management tools to help with user privileges and authentication security.
One of most compelling aspects of PCI DSS is that this standard was not created by an outside entity, like many other regulations. Instead, it was created by credit card businesses themselves, recognizing that mandating security requirements would be paramount to credit cards remaining reliable in the internet age. Though staying compliant to PCI DSS does take a concerted effort, it shouldn’t be seen as disruptive to business as usual, but instead critical to business as usual.