The Payment Card Industry’s Data Security Standard (PCI DSS) requires merchants to regularly scan their networks for vulnerabilities. This requirement is mandatory for any business that stores, processes, or transmits cardholder data, regardless of their merchant level.
Under PCI DSS requirement 11.2, you must conduct a scan at least once per quarter, or every 90 days. In addition, you must also complete a scan any time you make a “significant” change to your environment. A minimum of four passing scans must be completed annually to maintain compliance.
Note that PCI requires both vulnerability scans and penetration testing; vulnerability scans should not be confused with penetration testing. Vulnerability scans are automated, high-level tests that inspect all components of an environment for potential vulnerabilities. Penetration testing goes one step further, simulating a real-world attack in which attempts are made to exploit these vulnerabilities to gain access to the network or systems. 11.3 of the DSS covers the requirements for penetration testing.
What is Considered a “Significant” Change?
Adam Jones, Curbstone’s Director of Infrastructure, notes that “a change is considered ‘significant’ if it could potentially allow access to cardholder data, or if it affects the security of the cardholder data environment in any way”.
The DSS provides four such examples:
- New system component installations
- Changes in network topology
- Firewall rule modifications
- Product upgrades
After a “significant” change, you must scan all system components that were affected by the change.
Note: a “significant change” scan is in addition to and does not replace the requirement for a quarterly scan. Even if you have not made any changes to your system, you’ll still need to complete your quarterly scans as scheduled.
What if it’s Your First PCI Compliance Assessment?
Ryan Nichols, Curbstone’s Solutions Engineer, shares his advice for first-timers:
“If you’re just getting started with PCI compliance, the DSS does not require four quarters of retroactive scans when all the following are true:
- Your most recent scan had a passing result
- You have documented policies for quarterly scans
- You have corrected any high-risk vulnerabilities that were found in your last scan
Please note that all subsequent assessments will require four quarters of passing scans. A PCI QSA (Qualified Security Assessor) can provide additional information about these compliance requirements.”
Who Performs PCI Vulnerability Scans?
You can have your own qualified employees conduct your internal scans, but must use an Approved Scanning Vendor (ASV) for your external scans. If you do not have the resources to conduct your internal scans in-house, you can use an ASV for these as well; however, ASVs do not automatically conduct internal scans as part of an external scan engagement.
The Payment Card Industry maintains a list of ASVs here.
Correcting Vulnerabilities After a PCI Scan
Your PCI scan report will list all the vulnerabilities that were found on your systems. These can be categorized as “low risk”, “medium risk”, or “high risk”.
According to Jones, “If your scans reveal any high-risk vulnerabilities, you’ll need to fix them and re-scan your system to ensure the vulnerabilities have been mitigated as soon as possible. For instance, you may need to install security updates or close ports on your firewall. Once accomplished, you will require another scan that confirms all necessary changes have been made before you can receive a passing result.”
What Happens if You Miss a Scan?
“If you don’t complete all the required scans, you can lose your status as a compliant merchant. Non-compliant merchants are considered ‘legally vulnerable’ if customer card data is accessed during a breach. There may also be consequences, such as costly non-compliance fees, enforced by your acquirer,” noted Nichols.
If You Complete the Required Scans, Are You Automatically Compliant?
“Unfortunately, scans alone are not enough to ensure compliance. You’ll also need to complete an annual PCI Self-Assessment Questionnaire (SAQ), or – if you’re a larger merchant – a third-party compliance audit, Nichols clarifies.
“These requirements help ensure that you’re adequately protecting your customers’ data, but they can be a considerable burden on your business. The more parts of your environment that touch cardholder data, the more questions you’ll have to answer – and the longer your audit will take.”
PCI offers various SAQs for all scenarios where payment cards could be accepted. For example, when you don’t process, store, or transmit cardholder data in your environment, you can remove parts of your environment from PCI scope. This allows you to qualify for a simpler SAQ.
With Curbstone, we make it simple to process credit card payments without touching cardholder data. Our technologies keep cardholder data off your systems and out of your environment, which lets you take most – if not all – of your existing infrastructure out of PCI scope.
You’ll still need to complete the required vulnerability scans and submit the required documentation to your acquirer, but you can considerably reduce the burden and effort required to achieve and maintain compliance.
To learn more, contact us today.
This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).
