{"id":83,"date":"2022-11-27T22:00:00","date_gmt":"2022-11-28T03:00:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=83"},"modified":"2022-11-27T20:35:43","modified_gmt":"2022-11-28T01:35:43","slug":"intro-to-pci-version-4-requirement-11","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/","title":{"rendered":"Intro to PCI version 4: Requirement 11"},"content":{"rendered":"\n<p>In PCI requirement 11 the focus is on vulnerability management.\u00a0 From all aspects \u2013 prevention, awareness, and remediation (and all steps in between).\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>While at the top level this sounds a lot like requirement 5, which focuses on anti-malware, requirement 11 is more in line with the concepts of anti-threat vector.\u00a0 While some malware, especially the types that act as entry points for ransomware seem to fall under the auspice of \u201ctargeted attack vectors\u201d, most are not.\u00a0 Requirement 11 is designed around the concepts of making sure that as a company you do the due diligence needed to protect the environment against the impact of all forms of risk and attack vectors in the environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 11 in v4<\/h2>\n\n\n\n<p>The new controls in requirement 11 of v4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>11.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.es to the existing controls (surprised?) &lt;- literally cut and paste this line from the post on requirement 10 (which was cut from 9, etc.)<\/li>\n\n\n\n<li>11.3.1.1 &#8211; Manage all other applicable vulnerabilities (those not ranked as high-risk or critical) \u2013 The term \u2018manage\u2019 is the key to this one.&nbsp; Develop a program for how you will manage anything found during your scanning and testing that ranks as medium or lower.&nbsp; (HINT \u2013 Risk rankings and impact statements, as part of a targeted risk analysis, will probably be some great steps.)<\/li>\n\n\n\n<li>11.3.1.2 &#8211; Internal vulnerability scans are performed via authenticated scanning \u2013 For those of you who have been running your internal scans using credentials all along, while everyone snickered at you for making compliance harder than needed \u2013 Now is your turn to have the last laugh on the matter! (Well done).<\/li>\n\n\n\n<li>11.4.7 &#8211; multi-tenant service providers support their customers for external penetration testing \u2013 Service provider only, and \u2018multi-tenant\u2019 refers to the shared hosting environment used by some.&nbsp; The rest is self-explanatory.&nbsp; You MUST provide ways for them to do their external penetration testing (unless you are testing on their behalf as part of your service provider agreement, but that opens a whole new set of logistics).<\/li>\n\n\n\n<li>11.5.1.1 &#8211; Covert malware communication channels detect, alert and\/or prevent, and address via intrusion-detection and\/or intrusion-prevention techniques \u2013 manage the different methods and com paths used by malware programs to coordinate internally and externally.<\/li>\n\n\n\n<li>11.6.1 &#8211; A change-and-tamper-detection mechanism is deployed for payment pages \u2013 THIS.&nbsp; Start looking for your vendor or having conversations with your dev team (or both) on this one early enough to properly build\/purchase, test, and implement.&nbsp; If you were happy about what feels like a relaxation in R6 on the OWASP related requirements (re: combined into a single versus several independent ones), this is part of why they feel good about being about to make that change.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What are the changes\/modifications?<\/h2>\n\n\n\n<p>Requirement 11 changes\/modifications are mostly focused on just providing additional details in what the expectations are going to be (along with the structural changes \u2013 of course).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>11 \u2013 Clarification\/guidance \u2013 Minor update to the principal requirement title<\/li>\n\n\n\n<li>11.1 \u2013 Now 11.2.1 \u2013 Clarification\/guidance &#8211; Clarified the intent of the requirement is to manage both authorized and unauthorized wireless access points. Clarified that this requirement applies even when a policy exists to prohibit the use of wireless technology.<\/li>\n\n\n\n<li>11.2.3 \u2013 Now 11.3.1.3 \/ 11.3.2.1 \u2013 Structure\/format &#8211; Separated requirement to perform internal and external vulnerability scans and rescans after any significant changes into a requirement for internal scans (11.3.1.3) and external scans (11.3.2.1).<\/li>\n\n\n\n<li>11.3 \u2013 Now 11.4.1 \u2013 Clarification\/guidance \u2013 Adding clarification around methodology, retention, addressing exposed risk, and definitions between \u2018internal\u2019 and \u2018external\u2019<\/li>\n\n\n\n<li>11.3.3 \u2013 Now 11.4.4 \u2013 Clarification\/guidance &#8211; Clarified that penetration test findings are corrected in accordance with the entity\u2019s assessment of the risk posed by the security issue.<\/li>\n\n\n\n<li>11.2 \u2013 Now N\/A \u2013 Structure\/format \u2013 Removed as previous requirements now covered by other controls<\/li>\n\n\n\n<li>11.1.2 \u2013 Now 12.10.5 \u2013 Structure\/format &#8211; Moved requirement for incident response procedures if unauthorized wireless access points are detected to align with other incident response items.<\/li>\n\n\n\n<li>11.5.1 \u2013 Now 12.10.5 \u2013 Structure\/format &#8211; Moved requirement to respond to alerts generated by the change-detection solution to align with other the incident response items.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Most of the changes and additions in requirement 11 are focused on additional clarification and guidance towards management of the vulnerability program overall.&nbsp; For service providers, making certain they are not preventing customers from being able to manage their piece of the environment, and using proper access and mechanisms to ensure the environment is being monitored and tested in depth.&nbsp; Some areas have been moved down to 12, which we will discuss next week, but for the most part the areas covered by requirement 11 are unchanged.&nbsp; There is a shift on the expectations on management of the environment.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 Thanks for taking the time to read my thoughts on PCI v4 Requirement 11.\u00a0 We will continue to work through each of the PCI requirements each week.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In PCI requirement 11 the focus is on vulnerability management.\u00a0 From all aspects \u2013 prevention, awareness, and remediation (and all steps in between).\u00a0 Overall Thoughts While at the top level this sounds a lot like requirement 5, which focuses on anti-malware, requirement 11 is more in line with the concepts of anti-threat vector.\u00a0 While some &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 11&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"In PCI requirement 11 the focus is on vulnerability management.\u00a0 From all aspects \u2013 prevention, awareness, and remediation (and all steps in between).\u00a0 Overall Thoughts While at the top level this sounds a lot like requirement 5, which focuses on anti-malware, requirement 11 is more in line with the concepts of anti-threat vector.\u00a0 While some &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 11&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-28T03:00:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 11\",\"datePublished\":\"2022-11-28T03:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/\"},\"wordCount\":856,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/\",\"name\":\"Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-11-28T03:00:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/27\\\/intro-to-pci-version-4-requirement-11\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 11\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog","og_description":"In PCI requirement 11 the focus is on vulnerability management.\u00a0 From all aspects \u2013 prevention, awareness, and remediation (and all steps in between).\u00a0 Overall Thoughts While at the top level this sounds a lot like requirement 5, which focuses on anti-malware, requirement 11 is more in line with the concepts of anti-threat vector.\u00a0 While some &hellip; Continue reading \"Intro to PCI version 4: Requirement 11\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-11-28T03:00:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 11","datePublished":"2022-11-28T03:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/"},"wordCount":856,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/","name":"Intro to PCI version 4: Requirement 11 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-11-28T03:00:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/27\/intro-to-pci-version-4-requirement-11\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 11"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=83"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/83\/revisions"}],"predecessor-version":[{"id":84,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/83\/revisions\/84"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}