PCI DSS Requirement 11: Test System & Network Security Regularly

System vulnerabilities can serve as an open door for attackers to walk right into secure systems and cause significant harm. The best prevention method is to consistently test system components, processes, and software to ensure the security controls in place are working effectively.

Likewise, it is important to think like an attacker - be diligent and thorough with penetration testing techniques - as this mimics the process attackers would take to enter your secure systems.

PCI DSS Requirement 11 details the guidelines for testing systems and networks for vulnerabilities.

For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.

Requirement 11 Details and Sections

Requirement 11 contains six sections that detail the means of securing account data by carefully assigning user permissions and access controls.

Detailed requirement sections include:

• Requirement 11.1: Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
• Requirement 11.2: Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
• Requirement 11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.
• Requirement 11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
• Requirement 11.5: Network intrusions and unexpected file changes are detected and responded to.
• Requirement 11.6: Unauthorized changes on payment pages are detected and responded to.

Requirement 11.1: Processes and mechanisms for regularly testing security of systems and networks are defined and understood.

Like other requirements found in PCI DSS 4.0, the first section of the requirement - 11.1 - explains the importance of creating and maintaining policies for adherence. These processes must be consistently monitored and updated whenever required, and all involved personnel must understand their responsibilities.

Detailed requirement sections include:

• Requirement 11.1.1: All security policies and operational procedures identified in Requirement 11 are documented, up-to-date, in use, and known to all affected personnel.
• Requirement 11.1.2: Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.

Requirement 11.2: Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.

Exploiting wireless technology within a network is a common path for malicious users to gain unauthorized access to the network and cardholder data. These unauthorized devices can be easily hidden within a computer or other system component.

Therefore, it is crucial to maintain an inventory of authorized wireless access points for administrators to quickly respond when potential unauthorized wireless access points are detected. 

Detailed requirement sections include:

• Requirement 11.2.1: Authorized and unauthorized wireless access points are managed as follows:
  • Testing for the presence of wireless (Wi-Fi) access points
  • All authorized and unauthorized wireless access points are detected and identified
  • Testing, detection, and identification occurs at least once every three months
  • Personnel are notified via generated alerts if automated monitoring is used
• Requirement 11.2.2: An inventory of authorized wireless access points is maintained, including a documented business justification.

Requirement 11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.

All vulnerabilities, no matter how critical, can provide a potential avenue for malicious parties to attack secured systems. Therefore, identifying and addressing these vulnerabilities promptly can reduce the likelihood of exploitation and potential system compromise.

Detailed requirement sections include:

• Requirement 11.3.1: Internal vulnerability scans are performed at least once every three months, as follows:
  • High-risk and critical vulnerabilities are resolved
  • Rescans are performed and confirm all high-risk and critical vulnerabilities have been resolved
  • Scanning tool is up-to-date with the latest vulnerability information
  • Qualified personnel independent of the organization perform scans
  • Requirement 11.3.1.1: All other applicable vulnerabilities are addressed based on the risk defined in the targeted risk analysis, and rescans are conducted as needed
  • Requirement 11.3.1.2: Internal vulnerability scans are performed via authenticated scanning as follows:
    • Systems that are unable to accept credentials for authenticated scanning are documented
    • Sufficient privileges are used for those systems that accept credentials for scanning
    • If accounts used for authenticated scanning can be used for interactive login, they are managed in accordance with Requirement 8.2.2.
  • Requirement 11.3.1.3: Internal vulnerability scans are performed after any significant change as follows:
    • High-risk and critical vulnerabilities are resolved
    • Rescans are conducted as needed
    • Scans are performed by qualified personnel independent of the organization (not required to be a QSA or ASV)
• Requirement 11.3.2: External vulnerability scans are performed at least once every three months as follows:
  • By a PCI SSC Approved Scanning Vendor (ASV)
  • Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met
  • Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan 
  • Requirement 11.3.2.1: External vulnerability scans are performed after any significant change as follows:
    • Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved
    • Rescans are conducted as needed
    • Scans are performed by qualified personnel independent of the organization (not required to be a QSA or ASV)

Requirement 11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

All organizations should challenge their systems thoroughly, just as any attacker would do. Because attackers spend a significant amount of time trying to find vulnerabilities, the best prevention is to find and resolve these issues internally before an attacker can.

Detailed requirement sections include:

• Requirement 11.4.1: A penetration testing methodology is defined, documented, and implemented, and includes:
  • Industry-accepted penetration testing approaches
  • Coverage for the entire CDE perimeter and critical systems
  • Testing from both inside and outside the network
  • Testing to validate any segmentation and scope-reduction controls
  • Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4
  • Network-layer penetration tests that encompass all components that support network functions as well as operating systems
  • Review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing
  • Retention of penetration testing results and remediation activities results for at least 12 months 

• Requirement 11.4.2: Internal penetration testing is performed at least every 12 months:
  • Per the entity’s defined methodology
  • After any significant infrastructure or application upgrade or change
  • By a qualified internal resource or qualified external third-party
  • Organizational independence of the tester exists (not required to be a QSA or ASV). 
• Requirement 11.4.3: External penetration testing is performed:
  • Per the entity’s defined methodology
  • At least once every 12 months
  • After any significant infrastructure or application upgrade or change
  • By a qualified internal resource or qualified external third party
  • Organizational independence of the tester exists (not required to be a QSA or ASV)
• Requirement 11.4.4: Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
  • In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1
  • Penetration testing is repeated to verify the corrections
• Requirement 11.4.5: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
  • At least once every 12 months and after any changes to segmentation controls
  • Covering all segmentation controls in use
  • According to the organization’s defined penetration testing methodology
  • Confirming that the segmentation controls are operational and effective, and isolate the CDE from all out-of-scope systems
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3)
  • Performed by a qualified internal resource or qualified external third party
  • Organizational independence of the tester exists (not required to be a QSA or ASV)
• Requirement 11.4.6 Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
  • At least once every six months and after any changes to segmentation controls
  • Covering all segmentation controls in use
  • According to the entity’s defined penetration testing methodology
  • Confirming that the segmentation controls are operational and effective, and isolate the CDE from all out-of-scope systems
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
  • Performed by a qualified internal resource or qualified external third party.
  • Organizational independence of the tester exists (not required to be a QSA or ASV)
• Requirement 11.4.7: Additional requirement for multi-tenant service providers only: Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4. 

Requirement 11.5: Network intrusions and unexpected file changes are detected and responded to.

Intrusion-detection and intrusion-prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” of thousands of compromise types, and then send alerts or stop the attempt as it happens. Without a proactive approach to detect unauthorized activity, attacks on computer resources could go unnoticed for long periods of time with detrimental impacts on the CDE. 

Detailed requirement sections include:

• Requirement 11.5.1: Intrusion-detection and intrusion-prevention techniques are used to detect or prevent intrusions into the network as follows:
  • All traffic is monitored at the perimeter and critical points of the CDE
  • Employees are alerted to suspected compromises
  • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date
  • Requirement 11.5.1.1 Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. 
• Requirement 11.5.2: A change-detection mechanism is deployed as follows:
  • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files
  • To perform critical file comparisons at least once weekly

Requirement 11.6: Unauthorized changes on payment pages are detected and responded to. 

Unauthorized changes to payment pages could be the result of a skimming attack, where attackers can compromise script elements to “skim” the information being input. Checking and reviewing any violations to the content security policy (CSP) on a regular schedule can help prevent and catch such attacks.

Detailed requirement sections include:

• Requirement 11.6.1: A change- and tamper-detection mechanism is deployed as follows:
  • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser
  • The mechanism is configured to evaluate the received HTTP header and payment page
  • The mechanism functions are performed at least once every seven days or periodically

How Basis Theory can help you Satisfy PCI DSS Requirement 11

Securing cardholder data in a CDE satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.

As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.