The 2014 Verizon PCI Compliance Report assessed the state of PCI DSS compliance around the world. Surprisingly, it found that requirement 11 (regularly test security systems and processes) was the least complied with, despite the fact that many security professionals consider it one of the more straightforward requirements. In this tip, we take a look at the two specific areas that Verizon highlighted as being stumbling blocks to compliance and talk about how you can build them into your PCI DSS compliance program.

As you likely know, PCI DSS requires that you perform penetration testing of your environment following an industry-accepted approach, such as NIST SP 800-115. These tests must be performed on an annual basis, as a minimum, and also must be repeated after any major changes to the cardholder data environment. The first issue that Verizon discovered is that 60% of organizations failed to provide evidence that they had conducted penetration testing within the past year. Remember, maintaining documentation of the penetration test is almost as important as actually conducting the test when it comes to PCI compliance. Auditors are not willing to take your word for it; they want to see artifacts!

Read more: PCI DSS compliance and the trouble with requirement 11

Published June 15, 2014 on SearchSecurity.com