PCI DSS requirement 11 the least followed by businesses

  • Team Omega
  • June 16, 2014


The 2014 Verizon PCI compliance report says that Requirement 11 of PCI DSS which is the most straight forward to follow and show proof of compliance on, has been the most difficult for businesses to comply with. These two areas being Penetration Testing and Vulnerability Scanning.

Penetration testing

This is a mandatory test and companies fail in the area of showing proof through documentation. The auditors need to see evidence. Secondly, the test should show that there were no exploitable vulnerabilities. If the first pen test showed something that needed fixing, then the gap has to be addressed and the pen test repeated until a clean report is obtained.

Vulnerability Scanning

Internal and external vulnerability scanning are again mandatory. Proof that auditors need to see are clean scans every quarter. Similar to the pen test, any high vulnerability needs to be fixed and scan re-run until there is a clean scan for every quarter. So, four clean scans are required for evidence.

Omega ATC helps customers in these two areas and thus far has not received any complaints from auditors as to the process, evidence or documentation to meet requirement 11.  If you need assistance with your Report on Compliance process, get in touch with us.