PCI Requirement 11.2.1

The Payment Card Industry Data Security Standard (PCI DSS) Audit reports provide available documentation and compliance artifacts that help you demonstrate compliance with requirements of the PCI DSS.

The PCI Requirement 11.2.1 report provides guidance to demonstrate that quarterly internal vulnerability scans, "high-risk" vulnerabilities are rescanned, and performed by qualified personnel, in compliance with Requirement 11.2.1.

To access the PCI Requirement 11.2.1 report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under PCI DSS Audit, click VIEW.
  4. Click PCI Requirement 11.2.1.

The report summary page displays two columns. Testing Procedures lists each procedure that is required for testing the selected PCI requirement. Available Documentation and Artifacts describes, and contains links to compliance artifacts that you can use to demonstrate compliance with each testing procedure.

Schedule the report

After you finish setting up the report, you can use CREATE REPORT to run it periodically and subscribe users or an integration (such as a webhook) to receive a notification when the report is generated. To learn how to schedule the report and subscribe notification recipients, see Scheduled Reports and Notifications.

Available Documentation and Artifacts

This report provides you with documentation and artifacts to help you demonstrate that quarterly internal vulnerability scans are performed, vulnerabilities are addressed, "high-risk" vulnerabilities are rescanned until resolved, and scans are performed by qualified personnel.

Testing procedure for PCI 11.2.1.a

This testing procedure requires a review of the scan reports to verify that the four most recent quarters of internal scans occurred in the most recent 12 month period.

This section provides you with a link for quick access to the PCI scanning page in the Alert Logic console to review the latest 25 internal vulnerability scan reports for the most recent 12 month period.

Testing procedure for PCI 11.2.1.b

This testing procedure requires a review of the scan reports to verify that all "high-risk" vulnerabilities are addressed, and have been rescanned to resolution.

This section provides you with a link for quick access to the vulnerability reports in the Reports page in the Alert Logic console to review vulnerability summary, distribution, and trends discovered and addressed across your environment.

Testing procedure for PCI 11.2.1.c

This testing procedure requires you to verify that the scan was performed by a qualified internal resource or qualified external third party.

This section provides you with a link to the Deployments page in the Alert Logic console for quick access to configure schedules of when Alert Logic performs scans.