Complying with PCI DSS requirement 11 deals with vulnerability scanning and penetration testing, with additional requirements to scan your ecommerce sites being introduced with PCI v4.0.
Complying with PCI DSS requirement 11 deals with vulnerability scanning and penetration testing, with additional requirements to scan your ecommerce sites being introduced with PCI v4.0.
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities.
PCI DSS requires two independent methods of PCI scanning: internal and external scanning. An external vulnerability scan is performed from a perspective outside of your network, and it identifies known weaknesses in network structures or applications exposed directly to the Internet. An internal vulnerability scan is performed within your network, behind the firewall and other perimeter security devices in place, to search for vulnerabilities on internal hosts that could be exploited in a pivot attack.
Typically, these vulnerability scans generate an extensive report of vulnerabilities found and provide references for further research on the vulnerability. Some vulnerability provider vendors (like SecurityMetrics) even offer directions to fix the problem.
See also: Vulnerability Scanning FAQ
Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). In simple terms, analysts attempt to break into your company’s network to find security holes.
The time it takes to conduct a penetration test varies based on network size, network complexity, number of exposed applications, and the number of penetration test staff members assigned to attack your exposed systems. A small environment can be completed in a few days, but a large environment can take several weeks.
Typically, penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation.
Penetration testing and vulnerability scanning are often confused for the same service. The problem is, business owners purchase one when they really need the other.
While a vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities, a penetration test is a thorough, live examination designed to exploit weaknesses in a system. A vulnerability scan will report on potential vulnerabilities while a penetration test is designed to go beyond reporting and exploit vulnerabilities. Penetration tests discover what other security issues could be pivoted to after exploiting an issue.
See also: Pentesting vs. Vulnerability Scanning What's the Difference?
While vulnerability scanning and penetration testing is not new to the PCI standard, there have been some updates to the latest version.
Internal vulnerability scanning must now be authenticated. This means that it's not just a scan of ports and services; now, if a service is exposed that requires a credential to access it (e.g., a web app or exposed login port to a system), you need to use those credentials to gain access and test the authenticated port or service.
An important part of this new requirement will be that the credentials used by the vulnerability assessment (VA) scanner must be entered in the system and stored securely. This will have to be a feature of the VA scanning solution and should be something you check with your vendor carefully on.
Although vulnerability scanning was not a requirement previously, SAQ A merchants will now have to conduct them. This requirement could be confusing or frustrating for merchants that have never needed to scan previously. Getting help with setting up scans will reduce their chance of failing their first time.
11.3.2 External vulnerability scans are performed as follows:
Another requirement change was on IDS/IPS systems used by service providers. These systems must detect and alert on any covert malware communication channels that are being used (i.e., DNS tunneling). This may represent a change to the IDS/IPS system that you are currently using.
Probably one of the biggest things in section eleven was the addition of a requirement to implement a change and tamper detection mechanism for any payment pages or a web page that contains an iframe that displays a 3rd party payment page. This requirement addition is a direct result of the increase in ecommerce skimming compromises seen on payment pages and pages that contain iFrames showing payment pages in recent years.
Before March 31, 2025, companies will have to deploy a solution that will detect changes to those pages (e.g., script additions, changes to known script and code).
This is an excellent addition to the standard and is absolutely needed for e-commerce.
Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough assessment of your overall information security posture.
Remembering that PCI DSS is a protection for your business and is intended to keep you safe from threat actors, can help you frame PCI compliance as a positive experience instead of a checklist item.
.svg)
