Image: Dalle3 |
Vulnerability Scans (11.3.1.3 and 11.3.2.1)
One of the critical security controls that PCI DSS v4.0 emphasizes is the need for internal vulnerability scans. Companies must perform these scans after any 'significant change,' as defined by the standard. Significant changes include things like adding new hardware, software, or making considerable upgrades to existing infrastructure.
The scans aim to detect and resolve high-risk and critical vulnerabilities based on the entity’s vulnerability risk rankings. Following the scan, any detected vulnerabilities must be resolved, and rescans should be conducted as needed.
External vulnerability scans are equally important and follow the same triggering mechanism—significant changes in the environment. Here, the focus is on resolving vulnerabilities scored 4.0 or higher by the Common Vulnerability Scoring System (CVSS). As with internal scans, rescans are required as necessary to confirm that vulnerabilities have been adequately addressed.
Penetration Testing (11.4.2, 11.4.3)
Internal penetration testing is a more aggressive form of evaluation and should be conducted at least once every 12 months or after any significant change to the infrastructure or application. The testing can be carried out either by a qualified internal resource or a qualified external third-party, provided that there is organizational independence between the tester and the entity being tested. Notably, the tester doesn't need to be a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV).
Much like its internal counterpart, external penetration testing is required annually or after any significant alterations to the system. The testing must also be conducted by qualified resources and should follow the entity’s defined methodology for testing.
What Constitutes a 'Significant Change'?
PCI DSS v4.0 is pretty broad in what it considers to be 'significant changes,' effectively encompassing any new hardware, software, or networking equipment added to the Cardholder Data Environment (CDE), as well as any replacement or major upgrades to existing hardware and software in the CDE. The list is exhaustive and is aimed at ensuring that any changes, no matter how seemingly minor, are given adequate attention from a security perspective.
Summary of Requirements
The PCI DSS v4.0 requirements for vulnerability scans and penetration testing provide a structured approach for entities to keep their data environments secure. While these requirements might seem stringent, they offer a well-defined framework for securing cardholder data against the backdrop of ever-advancing cyber threats. Adhering to these requirements is not just about ticking compliance boxes; it’s about taking the necessary steps to protect your organization and its stakeholders.
- Internal
vulnerability scans:
- 11.3.1.3
Internal vulnerability scans are performed after any significant
change as follows:
- High-risk
and critical vulnerabilities (per the entity’s vulnerability risk
rankings defined at Requirement 6.3.1) are resolved.
- Rescans
are conducted as needed (significant changes..).
- External
vulnerability scans:
- 11.3.2.1
External vulnerability scans are performed after any significant
change as follows:
- Vulnerabilities
that are scored 4.0 or higher by the CVSS are resolved.
- Rescans
are conducted as needed (significant changes..).
- Internal
penetration testing:
- 11.4.2
Internal penetration testing is performed:
- Per
the entity’s defined methodology, at least once every 12 months
- After
any significant infrastructure or application upgrade or change
- By a
qualified internal resource or qualified external third-party
- Organizational
independence of the tester exists (not required to be a QSA or ASV).
- External
penetration testing:
- 11.4.3
External penetration testing is performed:
- Per
the entity’s defined methodology, at least once every 12 months
- After
any significant infrastructure or application upgrade or change
- By a
qualified internal resource or qualified external third party
- Organizational
independence of the tester exists (not required to be a QSA or ASV).
- Significant
changes are defined in PCI DSS to include (PCI-DSS-v4_0.pdf page 26):
- New hardware, software, or networking equipment.
- Any replacement or major upgrades of hardware and software.
- Any changes in the flow or storage of account data.
- Any changes to the boundary.
- Any changes to the underlying supporting infrastructure such as changes to directory services, time servers, logging, and monitoring.
- Any changes to third party vendors or services provided on behalf of the entity.