A reader recently submitted the following question to Ask PCI DSS Guru:

“When will merchants be contacted with the questionnaire for compliance? I have had card processing for 8 years and have never been contacted previously.”

(continue reading…)

PCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program. These tests are separate and distinct from the vulnerability scans required by section 11.2.

Back in 2008, the PCI DSS Security Standards Council released clarifications to the penetration testing requirements that directly answered some of the most common penetration testing questions. In addition, the release of PCI DSS 2.0 included additional information on these tests. Below, we attempt to address some of the most commonly asked questions about PCI DSS penetration tests.

What must PCI DSS penetration tests include?

The standard requires that penetration tests include two elements: network layer penetration tests and application layer penetration tests. While the composition of the network layer tests is left to the discretion of the tester, the standard specifies that the following elements must be included in the application layer tests:

(continue reading…)

The Payment Card Industry Data Security Standard (PCI DSS) requires that merchants accepting credit cards conduct regular vulnerability scans of their environment in order to identify potential security flaws. Merchants often have questions about the scanning requirements and we provide the answers to some of the most commonly asked questions below. If you don’t see your question answered, feel free to ask it in the comments section!

What vulnerability scans does PCI DSS require?

PCI DSS requires that merchants perform both internal and external vulnerability scans on a regular basis to ensure that your cardholder data environment meets current security standards. The standard requires two different types of vulnerability scan:

• External scans should be performed from outside your organization’s network and include all of your external IP addresses. These scans provide you with a view of the vulnerabilities that a hacker might exploit to gain an initial foothold on your network.
• Internal scans should take place from a sufficient number of locations within your network to assess the security posture of all systems within the cardholder data environment. This provides an internal view of your security and points out flaws that an attacker could exploit after gaining initial access to your network.

(continue reading…)

PCI DSS requirement 11.1 mandates the use of wireless scanners in your cardholder environment on at least a quarterly basis to ensure that rogue wireless networks are not present. The text of the requirement reads “Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.”

There are several possible ways that you can meet this requirement in your organization. Here are a few suggestions:

(continue reading…)

PCI DSS requirement 4.1 requires the use of secure sockets layer (SSL) or other strong cryptography to protect cardholder data while in transit over public networks. Specifically, the standard requires that:

”Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.”

In this article, we take a look at what this means for you as a PCI DSS professional.  We begin with an overview of how the Secure Sockets Layer (SSL) works, define an “open, public network” and then explore what you need to do to validate your PCI DSS compliance in this area.

(continue reading…)