PCI DSS Scanning
Requirement 11.2 of the Payment Card Industry Data Security Standard (PCI DSS) describes the need to run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
Vulnerability scanning for PCI DSS v3.2 compliance
Conducting vulnerability scans helps identify vulnerabilities and misconfigurations of websites, applications, and IT infrastructures with Internet-facing IP addresses.
Scan results provide valuable information that supports efficient patch management and other security measures that improve protection of the cardholder data environment (CDE) against attacks.
The difference between internal and external scanning requirements
Requirement 11.2 of the PCI DSS covers scanning. It states that you need to “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.” Scans need to be run by qualified internal or external parties.
Penetration test scoping guidance
The testing procedures must verify that four quarterly internal scans took place in the past 12 months and that rescans occurred until all “high-risk” vulnerabilities as defined by Requirement 6.1 were resolved.
External scans must be performed at least quarterly. The external scan must be conducted by an approved scanning vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
How can scanning help secure my defences?
Firewalls have to leave certain ports open for the operation of web, mail, FTP and other Internet-based services – leaving you vulnerable to exploitation. Vulnerability scans – when correctly configured – can help identify these weaknesses and recommend how to fix them.
At a high level, scanning tools run a series of if-then scenarios that are designed to identify system settings or actions that could lead to vulnerabilities. A completed scan will provide a logged summary of alerts for you to act on. Unlike penetration testing, a vulnerability scan does not exploit vulnerabilities in your network.
To pass a PCI DSS ASV attestation, all items listed as critical, high or medium (or with a CVSS score of 4.0 or higher) and certain findings that are considered “automatic failure” must either be remediated or disputed by the customer.
External scans must be performed by an ASV
Powered by Comodo, our HackerGuardian scanning service performs highly accurate scanning of your externally facing systems as required by the PCI DSS. It runs more than 60,000 tests on your organisation’s servers and network and provides clear advice on how to fix any security vulnerabilities. After every scan you’ll receive a detailed audit report summarising any identified security holes. Alongside each discovered threat you’ll find remediation advice cross-referenced to help make sure you can fix the problem. After a successful scan, users can download an official PCI DSS compliance report that can be submitted to their acquirer.
Our ASV scanning solution
What can you expect from our PCI DSS penetration test?
Our HackerGuardian scanning service is a vulnerability assessment scanning solution designed to identify website vulnerabilities and, where relevant, to achieve and maintain PCI DSS compliance. Website and network administrators have complete control over their scanning service and use a secure online console to schedule and run up to ten scans per quarter over a maximum of five externally facing IP addresses. These could be IP addresses that connect to the credit card acceptance, transmission and storage process (additional IP packs are also available) or are on key websites.
PCI DSS scanning enables merchants to validate PCI DSS compliance quarterly on up to five servers using the full complement of HackerGuardian plugins (more than 30,000 individual vulnerability tests with more added daily). The HackerGuardian Additional IP Addresses pack allows HackerGuardian to grow with your external and internal PCI DSS scanning needs.
What will my service cover?
- The PCI DSS Scan Control Centre is an on-demand vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI DSS scan compliance.
- After each scan, users receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.
- Following a successful scan (no vulnerabilities rated higher than a CVSS base score of 4.0), merchants receive an official PCI DSS compliance report that can be sent to an acquiring bank.
- The Standard version enables merchants to run ten PCI DSS scans per quarter on up to five IP addresses using the full complement of more than 30,000 individual vulnerability tests. The Enterprise version is a more powerful and flexible service that provides for up to 100 scans per quarter on 20 IP addresses.
Get in contact
We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.
Speak to an expert
Please contact us for further information or to speak to an expert.