|
About the Regularly Monitor and Test Networks category
|
|
0
|
8
|
February 9, 2023
|
|
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties
|
|
0
|
5
|
February 20, 2023
|
|
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution
|
|
0
|
5
|
February 20, 2023
|
|
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification
|
|
0
|
3
|
February 20, 2023
|
|
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points
|
|
0
|
6
|
February 20, 2023
|
|
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods
|
|
0
|
4
|
February 20, 2023
|
|
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify
|
|
0
|
5
|
February 20, 2023
|
|
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections
|
|
0
|
8
|
February 20, 2023
|
|
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification
|
|
0
|
4
|
February 20, 2023
|
|
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification
|
|
0
|
3
|
February 20, 2023
|
|
11.3 Implement a methodology for penetration testing that includes the following:
|
|
0
|
4
|
February 20, 2023
|
|
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel
|
|
0
|
3
|
February 20, 2023
|
|
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved
|
|
0
|
4
|
February 20, 2023
|
|
11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1)
|
|
0
|
4
|
February 20, 2023
|
|
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)
|
|
0
|
4
|
February 20, 2023
|
|
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected
|
|
0
|
5
|
February 20, 2023
|
|
11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification
|
|
0
|
6
|
February 20, 2023
|
|
11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis
|
|
0
|
6
|
February 20, 2023
|
|
11: Regularly test security systems and processes
|
|
0
|
6
|
February 20, 2023
|
|
10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties
|
|
0
|
6
|
February 19, 2023
|
|
10.8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
|
|
0
|
7
|
February 19, 2023
|
|
10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
|
|
0
|
6
|
February 19, 2023
|
|
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis
|
|
0
|
4
|
February 19, 2023
|
|
10.6.3 Follow up exceptions and anomalies identified during the review process
|
|
0
|
10
|
February 19, 2023
|
|
10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment
|
|
0
|
5
|
February 19, 2023
|
|
10.6.1 Review the following at least daily:
|
|
0
|
4
|
February 19, 2023
|
|
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity
|
|
0
|
3
|
February 19, 2023
|
|
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)
|
|
0
|
8
|
February 19, 2023
|
|
10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device
|
|
0
|
4
|
February 19, 2023
|
|
10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter
|
|
0
|
8
|
February 19, 2023
|