11.4.4 Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:

Defined Approach Requirements

11.4.4 Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:

• In accordance with the entity's assessment of the risk posed by the security issue as defined in Requirement 6.3.1.
• Penetration testing is repeated to verify the corrections.

Customized Approach Objective

Vulnerabilities and security weaknesses found while verifying system defenses are mitigated.

Defined Approach Testing Procedures

11.4.4 Examine penetration testing results to verify that noted exploitable vulnerabilities and security weaknesses were corrected in accordance with all elements specified in this requirement.

Purpose

The results of a penetration test are usually a prioritized list of vulnerabilities discovered by the exercise. Often a tester will have chained a number of vulnerabilities together to compromise a system component. Remediating the vulnerabilities found by a penetration test significantly reduces the probability that the same vulnerabilities will be exploited by a malicious attacker.

Using the entity's own vulnerability risk assessment process (see requirement 6.3.1) ensures that the vulnerabilities that pose the highest risk to the entity will be remediated more quickly.

Good Practice

As part of the entity's assessment of risk, entities should consider how likely the vulnerability is to be exploited and whether there are other controls present in the environment to reduce the risk.

Any weaknesses that point to PCI DSS requirements not being met should be addressed.