PCI requirement 11 most common reason for non-compliance

Payment card securityThe recently published Verizon PCI Compliance Report found that testing security systems (requirement 11) was the worst-performing area for most companies at an interim assessment. The study found that just 33% of companies passed all of the PCI DSS controls and testing procedures. Compliance in this area fell by 7% (from 40%) on the previous year. Moreover, just 9% of all breached organisations were compliant with this requirement.

What is PCI DSS requirement 11 about?

Requirement 11 mandates that “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”

Compliance with this requirement will help:

  • Identify unaddressed security issues
  • Test for the presence of wireless access points
  • Spot unauthorised system changes
  • Implement a penetration testing methodology
  • Correct exploitable vulnerabilities found during penetration testing
  • Cross-check the effects of other PCI DSS controls

The Verizon report stresses that: “Requirement 11 is fundamental to ensuring that the organization is prepared for the range of attack types reported in the 2014 Data Breach Investigations Report.”

Complying with requirement 11

Depending on the type of validation you are required to provide (ROC or SAQ), you need to fulfil the relevant sub-requirements of requirement 11 as shown in the table below.

PCI Penetration Testing

Purchase the required test 3184 3184 4450 3185

Vulnerability scans and penetration tests

Vulnerability scans and penetration tests must be performed by qualified and, if applicable, independent resources. IT Governance is an approved QSA and CREST-accredited penetration testing provider, and offers a combination of fixed-price level 1 penetration tests/vulnerability assessments and bespoke penetration tests (level 2) that will help you meet all of the requirements of the PCI DSS.

For further guidance on the different types of penetration tests, please see our information page explaining the levels of penetration tests >>