The Payment Card Industry Data Security Standard (PCI DSS) creates policies and procedures for networks, systems, and other payment card processing equipment in order to reduce credit card fraud. It includes 12 main provisions that must be adhered to not only to stay compliant, but to build and maintain a strong security posture that protects sensitive financial data.
Requirement 11 is of particular importance, stating that organizations must regularly test security systems and processes. Through this testing, organizations can learn if they’re effectively meeting compliance requirements and get insight on how to improve areas of weakness. So what exactly does this vital provision entail? Let’s take an in depth look at the details of requirement 11, and find out why a comprehensive pen testing tool like Core Impact can help you adhere to it.
PCI DSS Requirement 11.2
Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
Core Impact has the ability to detect and inventory all wireless access points within range, as well as any devices connected to these access points. Devices “beaconing” (powered on, but not connected and looking for an access point) can also be identified. Users can then compare the list of identified access points to the authorized list, and determine if there are any unapproved access points running.
PCI DSS Requirement 11.3
External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Core Impact can validate and prioritize both internal and external vulnerabilities found during a scan. Using the “Vulnerability Scanner Validator,” Core Impact can automatically import the results from a vulnerability scan and test the vulnerabilities directly to confirm that they are present in the target. A PCI Vulnerability Validation Report can be easily generated to both ensure and prove compliance. To make the process even more effortless, Core Impact can be bundled with Frontline VM, a powerful vulnerability scanner with proprietary scanning technology. Frontline VM seamlessly integrates with Core Impact for one-step vulnerability validation.
Additionally, Core Impact can validate efforts made to patch these vulnerabilities. With the “Remediation Validator,” Core Impact can retest a list of targets to ensure that remediation efforts were successful, then produce a report that will highlight the changes from the original test.
220.127.116.11 External vulnerability scans are performed after any significant change as follows:
- Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved
- Rescans are conducted as needed
- Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV)
Both internal and external scans can be imported into Core Impact and correlated, and the “Remediation Validation” test can be run against the results. All critical vulnerabilities can be retested once remediation is complete.
Combining Core Impact with a vulnerability management tool such as Frontline VM can enhance your offensive security program by identifying and prioritizing security weaknesses.
PCI DSS Requirement 11.4
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
Core Impact provides a complete, intuitive, and repeatable methodology for penetration testing through its “Rapid Penetration Test” (or RPT) wizards. Core Impact offers comprehensive testing across network, web application, and client-side/social engineering vectors. RPTs are also available when these vectors interrelate, as well as for wireless/Wi-Fi networks and mobile devices.
Meeting Every PCI DSS Requirement
With Core Impact’s automations, vulnerability scan integrations, and dynamic reporting, organizations can efficiently and effectively complete necessary tests for requirement 11. But what about the other requirements? Though PCI DSS can seem daunting and time consuming, many parts of this regulation can also be streamlined using identity governance and access management tools to help with user privileges and authentication security.
One of most compelling aspects of PCI DSS is that this standard was not created by an outside entity, like many other regulations. Instead, it was created by credit card businesses themselves, recognizing that mandating security requirements would be paramount to credit cards remaining reliable in the internet age. Though staying compliant to PCI DSS does take a concerted effort, it shouldn’t be seen as disruptive to business as usual, but instead critical to business as usual.