Monitoring and Testing [Req 10-11]
Rule: Log and monitor all access to system components and cardholder data. Test security of systems and networks regularly through vulnerability scans and penetration tests.
Requirement 10: Logging and Monitoring
10.2 — Audit Logs Implemented
Must log:
| Event | Requirement |
|---|
| User access | All individual access to cardholder data |
| Admin actions | All actions by anyone with admin privileges |
| Access to logs | All access to audit logs |
| Authentication | All invalid authentication attempts |
| Changes | Creation/deletion of system objects |
| Identification | All changes to user accounts |
| Initialization | Initialization, starting, stopping of audit logs |
Log Content
Each log entry must include:
- User identification
- Event type
- Date and time
- Success or failure
- Origination (source)
- Identity/name of affected data, component, or resource
10.3 — Protect Audit Logs
| Control | Requirement |
|---|
| Read access | Limited to those with job need |
| Tampering protection | Cannot be modified |
| Integrity monitoring | Detect unauthorized changes |
| Prompt backup | To central server or media |
10.4 — Log Review
| Control | Requirement |
|---|
| Daily review | Security events and logs of critical systems |
| Review all other logs | At least periodically (based on risk) |
| Anomaly response | Follow up on anomalies |
10.5 — Log Retention
| Period | Requirement |
|---|
| Online/available | At least 3 months |
| Total retention | At least 12 months |
| Retrievable | For analysis |
10.6 — Time Synchronization
| Control | Requirement |
|---|
| NTP or similar | Critical systems synchronized |
| Correct time | From industry-accepted source |
| Protected | Time data protected from unauthorized changes |
Requirement 11: Security Testing
11.2 — Wireless Monitoring
| Control | Requirement |
|---|
| Authorized inventory | Maintain list of authorized APs |
| Detection | Identify unauthorized wireless APs |
| Quarterly scans | At least quarterly |
| Automated monitoring | Or quarterly manual scans |
11.3 — Vulnerability Scans
| Scan Type | Frequency | Scope |
|---|
| Internal vulnerability scans | At least quarterly | All systems in CDE and connected |
| External vulnerability scans | At least quarterly | All externally-facing IPs |
| After significant changes | After each change | Affected systems |
ASV requirement: External scans must be performed by PCI SSC Approved Scanning Vendor (ASV).
Passing criteria:
- No vulnerabilities scored CVSS 4.0 or higher
- Address high/critical vulnerabilities
- Rescan until passing
11.4 — Penetration Testing
| Test Type | Frequency | Scope |
|---|
| External penetration test | At least annually | External-facing systems |
| Internal penetration test | At least annually | Internal CDE |
| Segmentation testing | At least annually (every 6 months for service providers) | Verify segmentation effectiveness |
| After significant changes | After changes | Affected systems |
Penetration test must:
- Follow industry-accepted methodology (PTES, OWASP, NIST)
- Include network and application layer testing
- Address discovered vulnerabilities
- Retest after remediation
11.5 — Intrusion Detection
| Control | Requirement |
|---|
| IDS/IPS | Detect and/or prevent intrusions |
| All traffic | Monitor traffic in CDE |
| Alerts | Personnel alerted to suspected compromises |
| Signatures | Kept current |
11.6 — Change Detection (Payment Pages)
| Control | Requirement |
|---|
| Mechanism | Detect unauthorized changes to payment pages |
| HTTP headers | Monitor scripts and content |
| Frequency | At least weekly |
| Alert | Personnel alerted to changes |
Testing Summary
| Test | Frequency | Performed By |
|---|
| Vulnerability scan (internal) | Quarterly + after changes | Internal or qualified external |
| Vulnerability scan (external) | Quarterly + after changes | ASV (Approved Scanning Vendor) |
| Penetration test | Annually + after changes | Qualified internal or external |
| Segmentation test | Annually (6 months for SP) | Penetration tester |
| Wireless scan | Quarterly | Internal or external |
Citation
PCI DSS v4.0.1 Requirements 10-11