Even though compliance with the PCI DSS continues to increase worldwide, many challenges remain for organisations meeting and maintaining their compliance obligations.
One of the compounding problems is that some organisations simply do not take a proactive approach to meeting PCI compliance by conducting periodic evaluations of their cardholder data environment in between their annual compliance audits.
The core philosophy of the PCI DSS is to maintain continuous compliance, and to make the compliance programme part of ‘business as usual’.
Requirement 11 of the PCI DSS states that organisations should regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.
The PCI DSS states that “vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
It isn’t always easy to understand which vulnerability scan or penetration test is actually necessary to maintain compliance with the PCI DSS. In addition, it isn’t always clear whether a full penetration test (level 2) is required, or whether a less in-depth (and less costly – level 1) test will suffice.
Fortunately, IT Governance has compiled a handy guideline for companies that need to comply with the PCI DSS that sets out all of the testing requirements in a simple table.
Find out which test will work for you
Find out which range of tests you should be taking to maintain compliance with the PCI DSS now – click to view the larger version.