Get started Bring yourself up to speed with our introductory content.

PCI DSS Requirement 11: Regularly test security systems and processes

Craig Norris explains why internal and external network scans are necessary to complete Requirement 11 of the PCI Data Security Standard, one that frequently baffles security professionals.

Many organizations perform little or no regular testing on the adequacy of the security controls governing their...

network and Internet-facing Web site applications. Failure to periodically run internal and external network scans to identify weaknesses can prove costly when back doors are left open to hackers and malicious code. Organizations may be protected at a given moment, but new vulnerabilities appear daily, which is why networks should be consistently patched and hardened. According to the National Vulnerability Database provided by the Department of Homeland Security's National Cyber Security Division, an average of 19 new vulnerabilities are posted to the Internet every day.

One good example of the need for the regular testing of systems and processes is the recent data security breach at TJX Companies Inc. The TJX breach was ultimately caused by an insecure wireless network. According to a Wall Street Journal report, investigators believe that the hacker was able to use a laptop and a telescope-shaped antenna to bypass older security technology and penetrate the WLAN network. The $17.4-billion retailer's wireless network had less security than many people have on their home networks. For 18 months, TJX had no knowledge that it had been compromised, allowing malicious hackers to download at least 45.7 million credit and debit card numbers.

How to pass PCI requirement 11:

When it comes to scanning your information systems for vulnerabilities, make certain to use tools and techniques that expose vulnerabilities in devices on wired or wireless networks. There are an enormous number of security risks linked to wireless protocols, weak encryption methods and the lack of employee security awareness. Cracking methods have become much more advanced and can be carried out with open source tools freely available on the Web.

A substantial number of successful attacks are carried out against systems that do not get patched with the latest security updates. In addition to a systematic patching process, the greatest protection against network and application security threats is the consistent use of vulnerability scanners that can see all of the applications and devices on a network, identify vulnerabilities and supply remediation information. Nevertheless, scanning the corporate network for vulnerabilities will not reveal everything and may only uncover issues that have already been confronted or at least discovered. Scanning, though helpful, may not necessarily offer what a real, attack-like penetration testing program provides.


In order to be aware of its readiness, it is imperative (and required by the PCI DSS) that an organization perform an annual penetration test on its information systems, measuring how well the systems can endure an attack. This type of test actually exploits vulnerabilities to better quantify the true risk of any particular finding. According to a report found in The Retail Data Security 2005 Benchmark Study, only 51% of retailers perform network penetration testing. A frightening 14% of the survey respondents indicated that they had suffered a customer data security breach. Vulnerability scanning provides a look into known weaknesses, but does not address the elements of a successful intrusion. Your testing should include a deeper dive that will bring to light the real threats to your organization's assets.

Furthermore, when it comes to testing processes, all changes that could affect ingress and egress filter rules should go through a formal process before adjustments are made to firewalls, routers, VPNs and WLAN devices. These changes should be reviewed carefully for proper justification, and management must be made aware of any newly discovered security risks. Information systems environments will always have to change in order to help the business obtain its objectives; therefore, all changes must continually be reviewed and fully documented.


  Requirement 3: Protecting stored data
  Requirement 11: Regularly test systems and processes
  Requirement 8: Assign a unique ID to users
  Requirement 10: Monitor access to network resources and data
  Requirement 1: Install and maintain a firewall configuration



Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via [email protected].
This was last published in September 2007

Dig Deeper on IT security audits and audit frameworks