Here at Curbstone Corporation we get a lot of questions around PCI compliance and the ongoing requirement for merchants to scan their networks to ensure their compliance is being maintained.
The Payment Card Industry Data Security Standards (PCI DSS) were designed to ensure card transactions are kept secure and that card fraud is kept to an absolute minimum. Compliance is mandatory for ALL merchants in the US if they "PROCESS, STORE, and/or TRANSMIT" sensitive card data. Non-compliant merchants may or may not be aware that they will be legally vulnerable in the event customer card data is accessed during a breach of their IT security.
To become compliant, merchants have to complete Self-Assessment Questionnaires (SAQs, which are audit guides) to determine how secure their card handling processes are, and then, to remedy areas where they fall short. The scope of PCI compliance varies in line with the merchant’s card-handling environment from being relatively quick and simple to long and arduous.
The name of the game is for merchants to remove as much of their own IT infrastructure and process from the scope of PCI. This reduces the compliance burden and the scope of audit reporting.
Our customers run their businesses on the IBM server platform IBM Power Systems on IBM i (previosuly AS/400 or iSeries), and we assist them with technology to help achieve and maintain compliance. One question often asked is how often they have to have their IT systems scanned and assessed to ensure they are still compliant.
Regrettably, most merchants (companies who accept card payments) confuse the PCI "scan" requirements with actual compliance. While the scans are dictated to be run at least quarterly, they are the smallest component of compliance.
So, how often?
Tons of misinformation exist with answers ranging from ‘you have to do it whenever your IT environment changes with the addition of new hardware or software’ and ‘it varies according to what level merchant you are’ to ‘a couple of times a year’.
Our Chief Technical Officer Ira Chandler has come across them all in his time and says there is only one correct answer which is that the process has to be undergone every 90 days no matter what level merchant you are. The <link>Visa Merchant Level</link> table says as much and that the scan has to be conducted by an Authorised scanning vendor (ASV). https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
This requirement applies not just to our clients but to all merchants and Mr Chandler says merchants can get the contact details of approved scanning vendors in their region from the <link>PCI Security Standards Council website</link>. https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
In a final note of caution, he says merchants have to bear in mind that a scan, in itself, does not equal compliance. Compliance means remedying shortfalls detected by the scan and it’s also worth remembering that such scans only ensure the server is secure from the outside but not whether it’s also secure from intrusion within the local network.
Curbstone Corporation’s secure technology processes about $2.4 Billion per year for merchants on the IBM i (AS/400, iSeries) platform, for phone orders, e-commerce, and retail.