PCI DSS Position on Patching May Be Unjustified

Card Industry (PCI) Data Security Standard (DSS). The DSS addresses the issue of remediating security vulnerabilities. The first is DSS requirement 6.1, which is focused on security patches.

6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.

The second relevant DSS requirement is 11.2, which is focused on vulnerability scans.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Turning to the audit procedures for 11.2, we find the following statement.

Verify that the scan process includes rescans until “clean” results are obtained.

Finally, requirement 11.3 discusses penetration testing.

11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:

11.3.1 Network-layer penetration tests,
11.3.2 Application-layer penetration tests.

Finally, the audit procedures for 11.3 do not explicitly state a timeline for corrected vulnerabilities discovering during a penetration test, but instead merely require that the auditor “Verify that any noted


  1. Jens Laundrup Jun 30, 2008 at 10:32 am | Permalink

    Well said Jeff.
    I would be willing to bet that they (The Payment Card Industry) do not follow their own patching mandate. It reflects the overall problem with PCI DSS, that it is too prescriptive but fails to meet the intended objective. We can draw a similar parallel to the Department of Defense where they often have a checklist that they have to go through to show compliance with a security directive. The problem with them is you can show compliance with the checklist or with PCI and be inadequately secured, thus meeting the letter of law but failing at the intent. It is time for the PCI to start thinking about adopting a different tactic.
    In my opinion, certification to ISO/IEC 27001 would do much more to meet the intent of PCI DSS than PCI DSS does today.

  2. Adam Shostack Jun 30, 2008 at 10:33 am | Permalink

    Thanks for the mention, Jeff! I’m glad we inspired you to do this, and I’ve posted some thoughts in response at http://www.emergentchaos.com/archives/2008/06/in_the_land_of_the_blind.html

Post a Comment

Your email is never published nor shared. Required fields are marked *