What You Need To Know About PCI Assessments And Vulnerability Remediation Requirements

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to ensure cardholder data security for organizations that process credit card transactions.  

The standard comprises 12 requirements covering logging and monitoring, vulnerability scans, risk assessment, physical security, access control policy, and other security-related best practices. For a company to be PCI compliant, it must prove that its systems and infrastructure meet all requirements. 

No matter your company size -- or how many credit card transactions you process-- you must follow PCI compliance standards. These standards are designed to protect the data shared with you by your customers. 

This article will review PCI assessments, PCI requirement 11, and remediation requirements. 

PCI Assessments 

PCI assessments are conducted by qualified security assessors (QSA) or internal security assessors (ISA) to determine an organization's compliance with the PCI DSS. They are crucial for protecting payment card data and preventing fraud. Organizations that fail to comply with PCI DSS may be subject to fines, legal liabilities, and other consequences. 

The assessments thoroughly review an organization's payment card processing systems, security policies, procedures, and IT infrastructure to identify any vulnerabilities that may compromise payment card data security. 

There are several types of PCI assessments, including: 

• PCI DSS Self-Assessment Questionnaires (SAQs): These are self-assessment questionnaires that merchants can complete themselves to demonstrate their compliance with PCI DSS. 
• PCI DSS Level 1 Assessment: This is the most comprehensive PCI assessment and is required for merchants that process more than six million transactions per year. 
• PCI DSS Level 2-4 Assessments: These assessments are required for merchants that process fewer than six million transactions per year. 

When an organization undergoes a PCI DSS assessment, it may be found to have vulnerabilities that could potentially compromise cardholder data. Therefore, the organization must take remediation steps to address those vulnerabilities in such cases. 

PCI DSS Requirement 11 

PCI DSS Requirement 11 is focused on testing security systems and processes to protect payment card data from unauthorized access and misuse. 

This requirement says you must regularly perform penetration testing audits on your application/infrastructure every few months. Keep in mind that new vulnerabilities are uncovered by security research every day, so a penetration test performed today may find vulnerabilities that didn't exist one month before. 

However, this PCI DSS requirement isn't just about scanning network components and servers to find vulnerabilities; it's also about remediating and changing processes to prevent future vulnerabilities.  Once the weaknesses are identified, the organization corrects them and repeats the scan until all vulnerabilities have been corrected, based on criticality. 

PCI Requirement 11 includes the following sub-requirements: 

• PCI DSS Requirement 11.1: Apply processes to detect the presence of wireless access points, and identify all authorized and unauthorized wireless access points quarterly. 
• PCI DSS Requirement 11.2: Perform internal and external network vulnerability scans at least every three months and after a significant change in the network. 
• PCI DSS Requirement 11.3: Apply a methodology for penetration testing 
• PCI DSS Requirement 11.4: Use intrusion detection or intrusion prevention techniques to detect or prevent intrusions on the network. 
• PCI DSS Requirement 11.5: Use the change detection mechanism to alert unauthorized changes to critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least once a week. 
• PCI DSS Requirement 11.6: Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.  

Read More: Top 8 PCI DSS Compliance Tips 

What are PCI Vulnerability Remediation Requirements? 

It is important to note that the specific PCI vulnerability remediation requirements can vary depending on the specific version of the PCI DSS and the individual circumstances of the organization undergoing assessment. 

Generally, organizations will be required to: 

1. Fix the vulnerability: The organization must address the vulnerability by implementing a fix, such as a patch or configuration change. 
2. Document the remediation: The organization must document the actions taken to remediate the vulnerability, including any changes to systems or processes. 
3. Verify the remediation: The organization must verify that the vulnerability has been successfully remediated, typically through re-scanning or re-testing. 
4. Report on the remediation: The organization must provide a report that describes the vulnerability and the steps taken to remediate it, as well as evidence of the verification of the remediation. 
5. Address any underlying issues: If the vulnerability results from underlying issues with the organization's security practices, the organization may be required to take additional steps to address those issues. 

Are You Ready To Assess Your PCI Training Needs? 

Considering the various penalties associated with a data breach, going beyond PCI compliance and ensuring the best cybersecurity practices must be a top priority for any organization dealing with sensitive information.  

An appsec education solution, such as Security Journey's AppSec Education Platform, can help your organization stay PCI compliant from the start. Talk to our team today to learn more.