Back

Test the system for insecure communications.


CONTROL ID
00535
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Verify that processes are in place to ensure that web applications are not vulnerable to insecure communications. (§ 6.5.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the system configurations to verify that the proper encryption strength has been implemented for the encryption method that is being used. (Testing Procedures § 4.1.f, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and examine the software development policies and procedures to verify that insecure communications are addressed by coding technologies that properly authenticate and encrypt sensitive communications. (Testing Procedures § 6.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that processes are in place to ensure that web applications are not vulnerable to insecure communications. (§ 6.5.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include insecure communications. (PCI DSS Requirements § 6.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Do coding techniques address insecure communications? (PCI DSS Question 6.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address insecure communications? (PCI DSS Question 6.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Did the penetration test work plan include communications security? (IT - Pen Test Review Q 8c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)