PCI compliance requirement 11: TestingDate: Jun 01, 2009
Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 11: "Regularly test security systems and processes." To meet PCI compliance requirement 11, you must:
- Conduct required quarterly tests, like wireless and external scans
- Conduct required annual tests, including penetration tests
The compliance experts also review common questions that they hear when doing their QSA work, including what exactly is meant by a 'penetration test' and what role file integrity monitoring can play when addressing the requirement.
Watch the rest of the PCI compliance videos, as Ed and Diana review what each particular requirement calls for.
Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:
- Version 1.2 of PCI DSS answers questions, raises others
- PCI version 1.2 clarifications: How to get an early start on compliance audits
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
PCI compliance requirement 11: Testing
Ed Moyle: I'm Ed Moyle and I am a QSA, or a Qualified Security Assessor and this is...
Diana Kelley: I'm Diana Kelley and I'm a partner at Security Curve.
Ed Moyle: So, welcome back.
Diana Kelley: Alright, very popular one, testing. You have to
the systems and the processes. It sounds pretty straight forward but you, actually,
have to go out and do the testing or hire somebody to do the testing for you.
So you want to do your scanning of your in-house payment systems as well as the
wireless systems that you're using.
Ed Moyle: Absolutely, absolutely and as far as, who can do
these tests for your
quarterly testing? That's definitely going to be an ASV, or an Approved Scanning Vendor.
They have a yearly penetration test that's required; the actual specifics of who needs
to do that are not thoroughly or entirely spelled out within the standard itself.
Generally speaking, what I look for, from this, is the typical
Tiger Team kind of thing,
where you either hire somebody to come in or you have internal staff who, actually,
try to do a black box penetration test on an annual basis. And file integrity monitoring,
we just talked about it but people say, "Hey, you like Tripwire?" It, actually,
I think, used to say Tripwire.
Diana Kelley: It did in the first version but the question is,
does it have to be Tripwire because
there's absolutely no product that specified it or endorsed by the council.
Ed Moyle: There's also...
Diana Kelley: We do have file integrity monitoring from another
Ed Moyle: Sure, yeah. There are a ton of products that do this.
Diana Kelley: It's just a matter of testing to make sure that
you know those
files maintain their integrity. The quick hits on these are major intrusion detection,
do the integrity monitoring and make sure that not only do you have the tests done,
but also, that you keep a record of when those tests are done.