| ๐ผ 11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. | 2 | | | |
| ย ย ย ย ๐ผ 11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification. | | | | |
| ย ย ย ย ๐ผ 11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected. | | | | |
| ๐ผ 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. | 3 | | | |
| ย ย ย ย ๐ผ 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all โhigh riskโ vulnerabilities are resolved in accordance with the entity's vulnerability ranking. | | | | |
| ย ย ย ย ๐ผ 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). | | | | |
| ย ย ย ย ๐ผ 11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. | | | | |
| ๐ผ 11.3 Implement a methodology for penetration testing. | 4 | | | |
| ย ย ย ย ๐ผ 11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification. | | | | |
| ย ย ย ย ๐ผ 11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification. | | | | |
| ย ย ย ย ๐ผ 11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. | | | | |
| ย ย ย ย ๐ผ 11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. | | | | |
| ๐ผ 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. | | 1 | 1 | |
| ๐ผ 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files. | 1 | | 1 | |
| ย ย ย ย ๐ผ 11.5.1 Implement a process to respond to any alerts generated by the change detection solution. | | | | |
| ๐ผ 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. | | | | |