WithPCI Logo
WithPCI.com

11.5.1 Intrusion-detection and/or intrusion-prevention techniques

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows:

  • All traffic is monitored at the perimeter of the CDE.
  • All traffic is monitored at critical points in the CDE.
  • Personnel are alerted to suspected compromises.
  • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.

Defined Approach Testing Procedures

11.5.1.a Examine system configurations and network diagrams to verify that intrusion-detection and/or intrusion-prevention techniques are in place to monitor all traffic:

  • At the perimeter of the CDE.
  • At critical points in the CDE.

11.5.1.b Examine system configurations and interview responsible personnel to verify intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.

11.5.1.c Examine system configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured to keep all engines, baselines, and signatures up to date.

Customized Approach Objective

Mechanisms to detect real-time suspicious or anomalous network traffic that may be indicative of threat actor activity are implemented. Alerts generated by these mechanisms are responded to by personnel, or by automated means that ensure that system components cannot be compromised as a result of the detected activity.

Purpose

Intrusion-detection and/or intrusion-prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known "signatures" and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and then send alerts and/or stop the attempt as it happens. Without a proactive approach to detect unauthorized activity, attacks on (or misuse of) computer resources could go unnoticed for long periods of time. The impact of an intrusion into the CDE is, in many ways, a factor of the time that an attacker has in the environment before being detected.

Good Practice

Security alerts generated by these techniques should be continually monitored, so that the attempted or actual intrusions can be stopped, and potential damage limited.

Definitions

Critical locations could include, but are not limited to, network security controls between network segments (for example, between a DMZ and an internal network or between an in-scope and out-of-scope network) and points protecting connections between a less trusted and a more trusted system component.

Sub-Requirements

purpose

Perform penetration testing at least annually and after significant changes.

compliance strategies

  • Annual penetration tests
  • Change-triggered tests

typical policies

  • Penetration Testing Policy

common pitfalls

  • Missed annual tests
  • No testing after changes

type

Technical/Process Control

difficulty

High

key risks

  • Unidentified vulnerabilities

recommendations

  • Use CREST or OSCP-certified testers

Eligible SAQ

  • SAQ-A-EP
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy