Requirement 11.2 Follies standard
Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail. Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external. Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally. In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...
Continue Reading