Do you own a business that stores, processes, or transmits sensitive data such as credit card information online? If so, you must comply with the Payment Card Industry Data Security Standards (PCI DSS), a set of 12 main regulations to protect customer data.
The PCI Security Standards Council compiled the PCI DSS. The council’s members consist of major card companies, including MasterCard, Visa, JCB International, and American Express.
Regardless of their size or sales volume, all merchants must pursue PCI compliance to prevent security breaches, consumer data theft, and identity theft. Ensuring PCI compliance is also critical to establishing consumer trust.
PCI compliance is often problematic for businesses. The PCI security standards are highly technical, and a company may have difficulty understanding how its website and public-facing web applications measure up to compliance standards.
Below, we take an in-depth look at assessing your PCI compliance by using data security scanning, identifying vulnerabilities, and addressing failed scans.
What is a PCI Scan?
A PCI vulnerability scan is an automated test to identify security vulnerabilities in a company’s information technology infrastructure and computer systems that someone can exploit or threaten. Your bank, or acquirer, may also require regular PCI scanning by an Approved Scanning Vendor (ASV) to eliminate threats across website subdomains, plugins, apps, and your payment processor.
Scanning vendors carry out three types of PCI scanning: an external vulnerability scan, an internal vulnerability scan, and an application scan.
An external PCI scan includes scanning of every public-facing IP address or range on your network. During an internal scan, the focus is on internal-facing hosts in a company’s cardholder data environment. Like external scans, you need to run internal scans every 90 days and after the following network changes:
- New system component installations
- Network topology changes
- Modifications to the firewall rule
- Product upgrades
Application scans are necessary if your business has public-facing web applications.
How to Perform a Vulnerability Scan
Before performing a vulnerability scan, you must sign up for the solutions of an ASV. The PCI Security Standards Council approves security solution providers as scanning vendors to carry out PCI scanning services and ensure adherence with PCI DSS requirement 11(2).
Fortra VM, a proprietary cloud-based SaaS security platform, is the leading solution to ensure PCI compliance. The platform supports:
- Web Application Scanning (WAS)
- Active Threat Sweep (ATS)
- Fortra Vulnerability Management (Fortra VM)
Fortra VM solutions simplify vulnerability management and incorporate the latest scan compliance technology. With this platform, you can also integrate a Payment Credential CVC site seal, demonstrating your business’s authority to accept online payments from credit cards.
To perform PCI scans with Fortra VM, complete the following steps:
- Open a Fortra Vulnerability Manager account by contacting Client Support. If you want to scan external IP addresses, remember to enter them when you configure your external scanner profile. Client Support will verify your external IPs using a reverse lookup.
- Install and activate your Reconnaissance Network Appliance (RNA). If you have any problems with this step, contact Client Support.
- Schedule a scan by selecting New > Scan on the Fortra VM site header.
- Upon completing the PCI scan process, select Scan, then Scan Activity to view the scan details.
- From the scan results page, you can generate PCI compliance reports. You can build various report templates from this page, including an asset inventory, executive summaries, and high-severity vulnerabilities. Each template displays unique information to offer insight into your PCI compliance.
Guide to PCI Scanning Success
The objective of PCI scanning is to ensure compliance with the PCI Security Standards Council requirements. You need to make sure that your company meets each requirement to eliminate vulnerabilities and protect businesses and consumers’ information.
The PCI SSC requires the following from your organization:
- Installation and maintenance of a firewall configuration to protect cardholder information
- To not use the default passwords and security parameters
- Protection of all stored cardholder data
- Encryption of cardholder data transmissions across public networks
- Use of updated anti-virus software
- Development and maintenance of secure applications and systems
- Restricting access to cardholder information
- Making sure that people with authorized access to credit card data have unique IDs
- Restricting physical access to cardholder information, including name and account details
- Tracking and monitoring of all access to networks
- Carrying out PCI scans every 90 days
- Formulating and maintaining an information security policy for all personnel and service providers
When it comes to PCI scanning success, your company should meet several requirements. Most significantly, you have to compile a complete list of all web-based applications and public- and internal-facing components to define a scan scope. Your company is responsible for scoping, even if you use an ASV to conduct the PCI scan.
After defining the scope, the ASV company will complete a discovery process to verify your scan scope. The ASV company will only proceed with the scan if the discovery results match the scope your company provided.
Addressing a Failed Scan
If your company passes its PCI scan, you can submit the passing scan to the relevant payment brand. If you don’t know how or to whom you should submit the report, contact your Participating Payment Brand and ask them for their report recipient’s name and contact details.
A business can also fail the ASV scan. If you failed the scan, you could dispute the results on grounds such as false positives, an inconclusive ASV scan, or interference preventing scan completion.
Each ASV has a procedure for the submission of ASV scan disputes. A scan dispute is between your business and the ASV, and you can’t send the dispute to the PCI SSC. The scanning vendor should provide you with a written procedure for the dispute submission and answer any questions you may have about the scan results.
In most cases, a PCI scan failure is due to one or more vulnerabilities. If there are vulnerabilities, you will need to resolve the issues, and the ASV will carry out rescans until your business gets a passing scan. A requirement of the PCI SSC is that all failed scans and disputes be included in the final scan report.
Attesting to Scans
An Attestation of Compliance (AoC) is the name of the document declaring your business’s compliance status with PCI regulations. The AoC indicates whether your business infrastructure met the scanning requirements and passed the scan.
The attestation features a section for general information that includes your business name, contact details, physical address, website address, and contact name. The business name and contact details of your ASV are also included in this section.
Once a year, you have to send your AoC to your credit card acquirer to prove compliance with PCI standards.
Establish Your Own Best Practices
After passing PCI compliance scans, an organization may stop maintaining its compliance. However, in addition to relying on an external security service, your company should develop its own best practices, ensuring optimal navigation of payment security and elimination of vulnerabilities. You also need to assign an expert team who continually works to ensure PCI compliance.
Your team must maintain a central database containing all compliance documentation, including Attestations of Compliance, reports, and executive summaries. Team members should also gather data and develop processes your company can follow to identify and eliminate security vulnerabilities.
People Also Ask:
How Long Does a PCI Scan Take?
Generally speaking, one scan takes anywhere between one and four hours to complete, depending on your server’s responsiveness. If the process takes longer than a workday to complete, we recommend contacting our client support service.
What Happens if I am Not PCI Compliant?
If your organization is not PCI compliant, it can result in several negative consequences. Most significantly, not complying with PCI standards leaves your business susceptible to data breaches, penalties, and termination of the agreement between your company and its bank.
The endangerment of sensitive data can also result in legal action, and you may have to compensate clients who suffered losses or became the victims of identity theft. If you don’t comply with PCI and have a large transaction volume, the Federal Trade Commission may decide to take matters into its own hands and subject your business to frequent audits.
Ultimately, PCI security mistrust can damage your brand reputation. Companies have had to close their doors in the past, even after taking steps to comply with PCI standards.
About Digital Defense
Our SaaS platform supports Fortra Vulnerability Management, Web Application Scanning, and Active Threat Sweep that together provide:
- Asset discovery and tracking
- OS and web application risk assessment
- Targeted malware threat assessment
- Machine learning features that leverage threat intelligence
- Agentless & agent-based scanning
- Penetration testing for networks, mobile applications, and web applications
- Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors
Our SaaS platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality.
About the Author
Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University.
Featured Resources
Avoid Unwanted Compliance Surprises
Penalties for Financial Technology compliance regulations, such as PCI-DSS, Gramm-Leach-Bliley, and PSD2, can be costly. Download the "Avoiding Compliance Surprises- Financial Technology" guide and get proactive solutions to secure sensitive data and avoid costly compliance "surprises".