System security is one task of many in organizations focused on compliance, one that requires continuous monitoring and diligence to ensure its success. One of the more critical aspects of compliance requirements like PCI DSS 4.0 is ongoing testing of system and network components.
What does that process look like for companies in the payment industry? It involves a combination of active and passive testing methods to document and follow up on unauthorized changes.
What Does It Mean to Test a System or Network for Security?
Modern IT systems are complex, interacting components across storage, processing, and networking contexts. As such, it’s important to understand the testing requirements for all types of technologies and how these tests address specific issues.
Some common forms of security testing you’ll see in practice, and those required in one form or another in PCI DSS, include:
- Vulnerability Monitoring: Any organization seriously approaching security must monitor their potential vulnerabilities on an ongoing basis. This means keeping track of emerging security threats and using them to measure their weaknesses, whether they come from outside factors or internal changes.
- Network Monitoring: Additionally, with network security being a critical part of overall security and compliance health, organizations must actively monitor their networks for vulnerabilities. This includes tracking unauthorized traffic or attempts to access network access points.
- Penetration Testing: Both vulnerability and network monitoring are considered passive in that an organization should have continuous and ongoing measures. These efforts can catch potential issues as or before they happen. Penetration testing is an active form of testing where professionals launch legitimate attacks against tech infrastructure, internally or externally, to identify vulnerabilities that broader monitoring won’t catch.
- Intrusion Detection: While intrusion detection may seem like a component of monitoring, the practice actually requires significant testing of web traffic, network traffic, and file state changes to determine if there have been any, or will be, issues.
What Is the Eleventh Requirement for PCI DSS 4.0?
The eleventh requirement focuses almost entirely on testing. This includes system and network testing, penetration testing, monitoring requirements and intrusion detection.
11.1 – Processes and Mechanisms for Regularly Testing Security of Systems and Networks
- Documentation: Like every other requirement in PCI DSS 4.0, this requirement expects organizations to formally document, update, and disseminate information regarding their testing and detection capabilities and policies.
- Roles and Responsibilities: Additionally, all roles and responsibilities related to testing, detection, and compliance efforts must be well-defined.
11.2 – Wireless Access Points Are Identified and Monitored
- Management of Wireless Access Points: Organizations must manage authorized and unauthorized wireless access points with extensive testing. This includes testing for the presence of and identifying access points. Detection and testing must occur at least once every three months, and automated testing generates alerts for users.
- Access Point Inventory: Organizations must maintain an inventory of all authorized access points, with a business case justifying their use.
11.3 – External and Internal Vulnerabilities Are Monitored
- Internal Vulnerability Scans: Internal vulnerability scans must occur at least once every three months. Providers must resolve any discovered high-risk vulnerabilities (confirmed with a follow-up rescan), and all scans must be performed by qualified and independent personnel using up-to-date scanning tools. Vulnerabilities that are not rated as high-risk must be addressed based on target risk analysis.
- Authenticated Scanning: Any scans of systems using authentication must use sufficient privileges to test that system thoroughly. Furthermore, it must be documented if a system does not accept user credentials for authenticated scanning.
- External Vulnerability Scans: External scans must be performed at least once every three months by a PCI SSC Approved Scanning Vendor. Any discovered vulnerabilities must be resolved according to the ASV Program Guide and are followed by required rescans.
11.4 – Regular Performance of Penetration Testing
- Penetration Testing Methodology: Penetration tests must be conducted using industry-accepted approaches and attend to the perimeter of all systems containing cardholder data. Pen tests must occur inside and outside the organization and include application-layer and network-layer testing. These tests must also include reviewing and considering threats experienced in the past 12 months. The organization must maintain the results of any penetration tests for at least 12 months.
- Internal Penetration Testing: Internal pen testing must conform to the organization’s methodologies and be performed at least once every 12 months (or after any significant infrastructure change) by a qualified internal or third-party tester with independence from the organization for testing purposes. Internal tests do not require performance by a QSA or ASV-certified auditor.
- Vulnerability Correction: Discovered vulnerabilities must be corrected based on the organizational risk assessment and immediately followed by a repeat of the initial pen test to ensure compliance.
- Pen Testing and Segmentation: If an organization segments cardholder data environments (CDE) from their network, it must pen test segmentation controls across all methods used at least once every 12 months.
11.5 – Network Intrusions and File Changes Are Detected and Responded to
- Intrusion Detection: All network traffic must be monitored at the perimeter of the CDE and critical points within the environment by up-to-date prevention and detection engines. Organizations must notify all personnel of potential compromises.
- Change Detection: Change detection mechanisms must alert personnel to unauthorized modifications of critical files and perform essential file comparisons at least weekly.
11.6 – Unauthorized Changes on Payment Pages Are Detected and Responded to
- Change- and Tamper-Detection: Change- and tamper-detection mechanisms must be in place for all web pages that accept payments. This includes tools to scan modified HTTP headers and alert personnel of changes. Additionally, these functions must be run at least weekly or on another periodic schedule based on the company’s documented risk profile.
Prepare for PCI DSS 4.0 with Lazarus Alliance
As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now.
Are You Thinking Ahead for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.