PCI compliance requirement 11: Testing

PCI compliance requirement 11: Testing

PCI compliance requirement 11: Testing

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 11: "Regularly test security systems and processes." To meet PCI compliance requirement 11, you must:


  • Conduct required quarterly tests, like wireless and external scans
  • Conduct required annual tests, including penetration tests

The compliance experts also review common questions that they hear when doing their QSA work, including what exactly is meant by a 'penetration test' and what role file integrity monitoring can play when addressing the requirement.

Watch the rest of the PCI compliance videos, as Ed and Diana review what each particular requirement calls for.


Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.   

PCI compliance requirement 11: Testing

Ed Moyle: I'm Ed Moyle and I am a QSA, or a Qualified Security Assessor and this is...

Diana Kelley: I'm Diana Kelley and I'm a partner at Security Curve.

Ed Moyle: So, welcome back.

Diana Kelley: Alright, very popular one, testing. You have to regularly test
the systems and the processes. It sounds pretty straight forward but you, actually,
have to go out and do the testing or hire somebody to do the testing for you.
So you want to do your scanning of your in-house payment systems as well as the
wireless systems that you're using.

Ed Moyle: Absolutely, absolutely and as far as, who can do these tests for your
quarterly testing? That's definitely going to be an ASV, or an Approved Scanning Vendor.
They have a yearly penetration test that's required; the actual specifics of who needs
to do that are not thoroughly or entirely spelled out within the standard itself.

Generally speaking, what I look for, from this, is the typical Tiger Team kind of thing,
where you either hire somebody to come in or you have internal staff who, actually,
try to do a black box penetration test on an annual basis. And file integrity monitoring,
we just talked about it but people say, "Hey, you like Tripwire?" It, actually,
I think, used to say Tripwire.

Diana Kelley: It did in the first version but the question is, does it have to be Tripwire because
there's absolutely no product that specified it or endorsed by the council.

Ed Moyle: There's also...

Diana Kelley: We do have file integrity monitoring from another source that's
perfectly acceptable.

Ed Moyle: Sure, yeah. There are a ton of products that do this.

Diana Kelley: It's just a matter of testing to make sure that you know those
files maintain their integrity. The quick hits on these are major intrusion detection,
do the integrity monitoring and make sure that not only do you have the tests done,
but also, that you keep a record of when those tests are done.


More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • RFC 1918

    Definition - RFC 1918 specifies ranges of IP addresses for use in private networks. These private IP addresses cannot be routed on the Internet.
  • PCI DSS 3.1 set for April 2015 release, will cover SSL vulnerabilities

    News - The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.

    ( Mar 30, 2015 )

  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets originate from the source computer they claim to be from before entry (or ingress) is granted.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: