The recently published Verizon PCI Compliance Report found that testing security systems (requirement 11) was the worst-performing area for most companies at an interim assessment. The study found that just 33% of companies passed all of the PCI DSS controls and testing procedures. Compliance in this area fell by 7% (from 40%) on the previous year. Moreover, just 9% of all breached organisations were compliant with this requirement.
What is PCI DSS requirement 11 about?
Requirement 11 mandates that “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
Compliance with this requirement will help:
- Identify unaddressed security issues
- Test for the presence of wireless access points
- Spot unauthorised system changes
- Implement a penetration testing methodology
- Correct exploitable vulnerabilities found during penetration testing
- Cross-check the effects of other PCI DSS controls
The Verizon report stresses that: “Requirement 11 is fundamental to ensuring that the organization is prepared for the range of attack types reported in the 2014 Data Breach Investigations Report.”
Complying with requirement 11
Depending on the type of validation you are required to provide (ROC or SAQ), you need to fulfil the relevant sub-requirements of requirement 11 as shown in the table below.
Purchase the required test | ![]() |
![]() |
![]() |
![]() |
![]() |
Vulnerability scans and penetration tests
Vulnerability scans and penetration tests must be performed by qualified and, if applicable, independent resources. IT Governance is an approved QSA and CREST-accredited penetration testing provider, and offers a combination of fixed-price level 1 penetration tests/vulnerability assessments and bespoke penetration tests (level 2) that will help you meet all of the requirements of the PCI DSS.
For further guidance on the different types of penetration tests, please see our information page explaining the levels of penetration tests >>