*This blog was recently updated here to reflect the product updates as well as the most recent release of PCI DSS v3.2.
Time is ticking if you aren’t yet PCI DSS v3.0 compliant. The new version of the standard went into effect Jan. 1, 2014, but many organizations took advantage of the option to certify compliance under the old version last year. Now that it’s 2015, businesses must make the leap to 3.0. The 2015 edition of the Verizon PCI report shows that companies are getting better at reaching full PCI compliance overall, but Requirement 11 presents a significant obstacle. The report includes a year-over-year compliance comparison for each of the 12 requirements, and Requirement 11 was the only one in which compliance declined. Below, I’ve isolated “what’s new” in PCI Requirement 11 and outlined how Core Impact Pro can help you through the transition to version 3.0.
11.1.x Include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and align with an already-existing testing procedure, for incident response procedures if unauthorized wireless access points are detected.
With one Core Impact Pro module you can seamlessly detect and inventory all wireless access points within range, as well as any devices connected to them. Devices “beaconing” (powered on, but not connected and looking for an access point) can also be identified. Any access points that are not authorized can be flagged and segmented.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed)
Core Impact Pro allows for correlating scans that are imported into “Workspaces.” A “Workspace” is a secure environment that organizes and stores data and can be filtered on test or scan type. Core Impact Pro allows the retesting of network and web assets that have been identified as vulnerable, to ensure they have been corrected.
11.2.1 Quarterly internal vulnerability scans include rescans as needed until all “high” vulnerabilities are resolved, and must be performed by qualified personnel.
For continuous rescans and high vulnerability validation with remediation efforts split amongst teams, “Remediation Validation” from Core Impact Pro allows testers to re-test network and web assets previously identified as vulnerable. The output report compares new results with original results and ensures “high’ vulnerabilities are remediated and resolved.
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
Both internal and external scans can be imported into Core Impact and correlated, and “Remediation Validation” can be run against the results. All critical vulnerabilities can be retested once remediation is complete.
11.3 Implement a methodology for penetration testing.
A complete methodology for penetration testing is organized in Core Impact Pro’s patented “Rapid Penetration Test” (RPT) wizard, which automates processes for Networks, Web Applications, Client-side and end user tests. Additional modules provide automated testing for wireless networks and network devices such as routers and switches.