WithPCI Logo
WithPCI.com

11.4.7 Additional requirement for multi-tenant service providers only

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

11.4.7 Additional requirement for multi-tenant service providers only: Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4.

Defined Approach Testing Procedures

11.4.7 Additional testing procedure for multi-tenant service providers only: Examine evidence to verify that multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4.

Customized Approach Objective

Multi-tenant service providers support their customers' need for technical testing either by providing access or evidence that comparable technical testing has been undertaken.

Applicability Notes

This requirement applies only when the entity being assessed is a multi-tenant service provider.

To meet this requirement, a multi-tenant service provider may either:

  • Provide evidence to its customers to show that penetration testing has been performed according to Requirements 11.4.3 and 11.4.4 on the customers' subscribed infrastructure, or
  • Provide prompt access to each of its customers, so customers can perform their own penetration testing.

Evidence provided to customers can include redacted penetration testing results but needs to include sufficient information to prove that all elements of Requirements 11.4.3 and 11.4.4 have been met on the customer's behalf.

Refer also to Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Purpose

Entities need to conduct penetration tests in accordance with PCI DSS to simulate attacker behavior and discover vulnerabilities in their environment. In shared and cloud environments, the multi-tenant service provider may be concerned about the activities of a penetration tester affecting other customers' systems.

Multi-tenant service providers cannot forbid penetration testing because this would leave their customers' systems open to exploitation. Therefore, multi-tenant service providers must support customer requests to conduct penetration testing or for penetration testing results.

purpose

Review and respond to IDS/IPS failures.

compliance strategies

  • Monitoring IDS/IPS health
  • Incident response for failures

typical policies

  • IDS/IPS Failure Response Policy

common pitfalls

  • Unmonitored IDS/IPS outages
  • No response plan

type

Process Control

difficulty

Moderate

key risks

  • Gaps in network monitoring

recommendations

  • Automate health checks and alerting

Eligible SAQ

  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy