PCI-DSS SECURITY TESTING CHEATSHEET

PCI-DSS SECURITY TESTING CHEATSHEET

Making Compliance easier

1. WIRELESS ACCESS POINTS 

Implementing appropriate processes for testing the presence of WAP, detecting authorized and

unauthorized access points, and maintain an inventory of wireless access points.

Frequency: Quarterly.

2.VULNERABILITY SCANS

Performing internal and external network vulnerability scans, address vulnerabilities, and perform rescans as needed via an Approved Scanning Vendor (ASV) approved by the PCI SSC.

Frequency: Quarterly or after a significant change in the network.

3.PENETRATION TESTING

Using industry-accepted penetration testing approaches including network and application- layer tests such as NIST SP800-115, the entire CDE perimeter along with critical systems should be covered, along with validating segmentation and scope-reduction controls.

 Performing external as well as internal

Penetration tests, correct exploitable vulnerabilities and verify the corrections.

Frequency: Annual or after significant infrastructure or application upgrades or modification.

Special requirements for service providers under 11.3.4.1 to confirm PCI DSS scope by performing penetration testing on segmentation controls half-yearly and after any changes to segmentation, controls are made.

4. INTRUSION DETECTION/PREVENTION SYSTEM 

Using IDS/IPS to monitor traffic at the CDE parameter as well as at critical points.

Frequency: NA.

5.CHANGE DETECTION MECHANISM 

Deploying a change-detection mechanism to generate alerts about unauthorized modification of critical system files, configuration files, or content files.

Frequency: Weekly.

6.DOCUMENTATION

Ensuring that security policies and operational procedures for security monitoring and testing are documented and available for all affected parties.

Frequency: NA.