Requirement 11.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 11. While it is important to define the specific policies or procedures called out in Requirement 11, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 11.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 11. While it is important to define the specific policies or procedures called out in Requirement 11, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Unauthorized wireless access points connected to the network can provide an uncontrolled entry point for attackers. Detecting authorized and unauthorized wireless access points helps ensure that only approved wireless devices are present in the environment.
Wireless scans should be performed at least quarterly to identify all wireless access points within range of the facility. Automated tools can help detect rogue wireless devices continuously.
Methods for detecting unauthorized wireless access points include wireless network scans using a wireless analyzer, physical/logical inspection of system components and infrastructure, and network access control (NAC) solutions.
Maintaining an inventory of authorized wireless access points helps in identifying unauthorized devices. Without a current inventory, it may be difficult to distinguish between authorized and unauthorized access points.
The inventory should include the make, model, location, and responsible individual for each authorized wireless access point. The inventory should be updated whenever access points are added, removed, or relocated.
Unauthorized wireless access points connected to the network can provide an uncontrolled entry point for attackers. Detecting authorized and unauthorized wireless access points helps ensure that only approved wireless devices are present in the environment.
Wireless scans should be performed at least quarterly to identify all wireless access points within range of the facility. Automated tools can help detect rogue wireless devices continuously.
Methods for detecting unauthorized wireless access points include wireless network scans using a wireless analyzer, physical/logical inspection of system components and infrastructure, and network access control (NAC) solutions.
Maintaining an inventory of authorized wireless access points helps in identifying unauthorized devices. Without a current inventory, it may be difficult to distinguish between authorized and unauthorized access points.
The inventory should include the make, model, location, and responsible individual for each authorized wireless access point. The inventory should be updated whenever access points are added, removed, or relocated.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
Internal vulnerability scans help identify known vulnerabilities in system components before they can be exploited by attackers. Regular scanning helps ensure that new vulnerabilities are detected and addressed promptly.
Internal vulnerability scans should be performed at least quarterly and after any significant change. Scans should cover all system components in the CDE and systems that could affect the security of the CDE. All high-risk vulnerabilities should be resolved and rescans performed to verify remediation.
Internal vulnerability scans may identify vulnerabilities of varying severity. Managing all vulnerabilities, not just critical ones, helps reduce the overall risk to the environment.
All vulnerabilities identified during scans should be managed based on their risk level. High-risk and critical vulnerabilities should be addressed first, with a plan for addressing lower-risk vulnerabilities in a reasonable timeframe.
Internal scans performed after significant changes help verify that the changes have not introduced new vulnerabilities. Without post-change scans, vulnerabilities introduced by changes may go undetected.
Scans should be performed after any significant change, such as new system component installations, network topology changes, firewall rule modifications, or product upgrades. Identified vulnerabilities should be remediated promptly.
Rescanning after remediation verifies that vulnerabilities have been successfully addressed. Without rescans, there is no assurance that the remediation was effective.
Rescans should be performed until all high-risk vulnerabilities are resolved. The rescan results should be documented and retained as evidence of remediation.
External vulnerability scans help identify vulnerabilities that are visible from outside the network boundary. These vulnerabilities could be exploited by attackers to gain unauthorized access to the CDE.
External vulnerability scans should be performed at least quarterly and after any significant change by a PCI SSC Approved Scanning Vendor (ASV). All vulnerabilities that score 4.0 or higher on the CVSS scale should be resolved and rescanned.
External scans performed after significant changes help verify that the changes have not introduced externally visible vulnerabilities. Without post-change scans, new vulnerabilities may go undetected.
External scans should be performed after significant changes that affect externally facing systems. Scans should be performed by a qualified ASV and should be completed with a passing result.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
A penetration testing methodology ensures that penetration tests are comprehensive, consistent, and repeatable. Without a defined methodology, tests may miss critical vulnerabilities or provide inconsistent results.
The methodology should define the scope, approach, and reporting requirements for penetration tests. It should be based on industry-accepted approaches such as NIST SP 800-115, OWASP Testing Guide, or PTES.
Internal penetration testing helps identify vulnerabilities that could be exploited by an insider or by an attacker who has gained access to the internal network. Internal tests complement vulnerability scans by testing for exploitability.
Internal penetration tests should be performed at least annually and after any significant changes to the infrastructure, applications, or network. Tests should attempt to exploit identified vulnerabilities to determine the potential impact.
External penetration testing helps identify vulnerabilities in externally facing systems that could be exploited by attackers from outside the network. External tests simulate real-world attack scenarios.
External penetration tests should be performed at least annually and after any significant changes to externally facing systems. Tests should be performed by qualified, experienced testers who are organizationally independent of the environment being tested.
Exploitable vulnerabilities discovered during penetration testing represent real risks to the environment. Correcting these vulnerabilities and retesting ensures that the risks have been effectively mitigated.
All exploitable vulnerabilities found during penetration testing should be corrected and the corrections verified through retesting. The retesting should confirm that the vulnerabilities can no longer be exploited.
If network segmentation is used to reduce the scope of the CDE, the effectiveness of that segmentation must be verified. If segmentation controls fail, the entire network may need to be considered in scope for PCI DSS.
Segmentation penetration tests should verify that segmentation controls effectively isolate the CDE from out-of-scope networks. Tests should be performed at least annually and after any changes to segmentation controls.
Service providers face unique risks due to the volume of cardholder data they handle and the number of clients they support. More frequent segmentation testing helps ensure that segmentation controls remain effective.
Service providers should perform segmentation penetration testing at least every six months and after any significant changes to segmentation controls or methods. Results should be documented and any issues remediated promptly.
Multi-tenant service providers must ensure that their segmentation controls effectively isolate each customer's data and environment. Without effective segmentation, one customer's data could be accessible from another customer's environment.
Multi-tenant service providers should test segmentation controls between customer environments. Tests should verify that one customer cannot access another customer's cardholder data or environment.
Intrusion-detection and/or intrusion-prevention techniques on the network help detect and/or prevent unauthorized access. Without these mechanisms, attackers may be able to access the CDE undetected.
IDS/IPS should be deployed at the perimeter of the CDE and at critical points within the network. Systems should be configured to detect and alert on, or prevent, all known attack signatures and anomalous network activity.
Keeping IDS/IPS systems current ensures they can detect the latest attack techniques. Outdated signatures or rules may fail to detect newer threats.
IDS/IPS signatures should be kept current through automatic updates. The systems should be configured to detect both known attacks (signature-based) and anomalous behavior (behavior-based) where possible.
Change-detection mechanisms such as file integrity monitoring (FIM) help detect unauthorized modifications to critical system files, configuration files, and content files. Unauthorized changes may indicate system compromise.
Change-detection mechanisms should be deployed to alert on unauthorized modifications to critical files. Comparisons should be performed at least weekly, and alerts should be generated for detected changes. Changes should be evaluated to determine if they are authorized.
Intrusion-detection and/or intrusion-prevention techniques on the network help detect and/or prevent unauthorized access. Without these mechanisms, attackers may be able to access the CDE undetected.
IDS/IPS should be deployed at the perimeter of the CDE and at critical points within the network. Systems should be configured to detect and alert on, or prevent, all known attack signatures and anomalous network activity.
Keeping IDS/IPS systems current ensures they can detect the latest attack techniques. Outdated signatures or rules may fail to detect newer threats.
IDS/IPS signatures should be kept current through automatic updates. The systems should be configured to detect both known attacks (signature-based) and anomalous behavior (behavior-based) where possible.
Change-detection mechanisms such as file integrity monitoring (FIM) help detect unauthorized modifications to critical system files, configuration files, and content files. Unauthorized changes may indicate system compromise.
Change-detection mechanisms should be deployed to alert on unauthorized modifications to critical files. Comparisons should be performed at least weekly, and alerts should be generated for detected changes. Changes should be evaluated to determine if they are authorized.
Intrusion-detection and/or intrusion-prevention techniques on the network help detect and/or prevent unauthorized access. Without these mechanisms, attackers may be able to access the CDE undetected.
IDS/IPS should be deployed at the perimeter of the CDE and at critical points within the network. Systems should be configured to detect and alert on, or prevent, all known attack signatures and anomalous network activity.
Keeping IDS/IPS systems current ensures they can detect the latest attack techniques. Outdated signatures or rules may fail to detect newer threats.
IDS/IPS signatures should be kept current through automatic updates. The systems should be configured to detect both known attacks (signature-based) and anomalous behavior (behavior-based) where possible.
Change-detection mechanisms such as file integrity monitoring (FIM) help detect unauthorized modifications to critical system files, configuration files, and content files. Unauthorized changes may indicate system compromise.
Change-detection mechanisms should be deployed to alert on unauthorized modifications to critical files. Comparisons should be performed at least weekly, and alerts should be generated for detected changes. Changes should be evaluated to determine if they are authorized.
E-commerce skimming attacks target payment pages to capture cardholder data. Unauthorized modifications to payment page scripts or HTTP headers can indicate that a skimming attack is in progress. Detecting these modifications helps prevent data theft.
A mechanism should be in place to detect unauthorized changes to HTTP headers and content of payment pages as received by the consumer browser. This may include monitoring for changes to scripts, content security policies, and other page elements. Alerts should be generated for unauthorized changes and investigated promptly.
Mechanisms for detecting changes include Content Security Policy (CSP) reporting, Subresource Integrity (SRI) checking, real-time monitoring of payment page content, and third-party monitoring services that detect changes to payment page scripts.