How Often Do I Need A Vulnerability Scan to Meet PCI Compliance Standards?
July 1, 2021
Are you a business or payment gateway processor that accepts, stores, transmits or processes credit cards? Then you are bound by the PCI DSS (Payment Card Industry Data Security Standard) compliance standards. This set of guidelines enables organizations to prevent payment data breaches, payment card frauds, identity theft and customer data theft. One of the important requirements of PCI compliance is vulnerability scanning.
What should the frequency of application vulnerability scans be? Is PCI compliance enough for proactive security? Read on to find out.
Introduction into PCI DSS
PCI DSS is a set of security standards provided by the Payment Card Industry Security Standards Council (PCI SSC). They apply to ALL organizations that accept, process, store or transmit card information. Organizations, regardless of size, number or nature of transactions, are required to maintain a secure environment for card transactions as per PCI DSS. So, it applies to payment gateways, third-party processors, merchants and service providers. These compliance standards also apply to debit cards and prepaid cards branded with one of the five brand logos/ card associations.
The set of guidelines has 12 major requirements. Under requirement 11 – regular testing of security systems and processes, organizations are required to perform vulnerability scanning and penetration testing.
Is PCI Compliance Important?
53% of breaches on customer payment information successfully infiltrated environments without detection. 91% of these breaches did not even generate an alert, and only a mere 9% of attacks received an alert. most security teams lack much-needed visibility into these serious threats. One must note that despite administering and managing PCI compliance, the PCI SSC is not responsible for enforcing compliance; it is the responsibility of payment brands and acquirers. This is probably why only 27.9% of the organizations are fully PCI compliant as of 2020. The numbers have seen a steady decline since 2016 when 27.5% more organizations were fully compliant.
Non-compliance comes at a massive cost. Fines imposed on credit card companies or payment processors for non-compliance can range anywhere from $5000 to $100,000. These are security best practices that aim to keep the organization protected from cyberattacks. Non-compliance thus, would leave your business susceptible to a range of sophisticated data breaches and attacks. If you face such an attack, then you would face financial drain and hefty non-compliance penalties. Lack of PCI security causes significant brand value damage and casts a shadow on business continuity itself.
Vulnerability Scanning Requirement for PCI Compliance Standards
PCI Scans are scans run using an automated web security scanner to check the merchant/ service provider/ payment gateway/ third-party payment processor’s systems and IT infrastructure for vulnerabilities. The scanner will test networks, web applications, OS, services, devices and so on to identify gaps and loopholes that an attacker may leverage to infiltrate the systems and gain access to confidential information.
PCI Compliance mandates two independent methods of vulnerability scanning – internal and external. These scans generate an extensive report of the vulnerabilities present, providing references for further research and recommendations for remediation. PCI SSC Approved Scanning Vendor (ASV) must conduct scanning, especially external scanning.
External Scanning
The external scanning must be performed by an ASV outside of the network to understand if your network is safe and secure for customers. Every public-facing IP address or range on the network and network firewalls are included in the external scans. A seasoned ASV like Indusface will employ a zero-intrusion, intelligent web vulnerability scanner to remotely review the network for security weaknesses.
The scan-passing documentation needs to be submitted. If one or more vulnerabilities exist, then you may fail the external scan. You will have to resolve the issue and the ASV will rescan till you get a passing scan. If the scan fails, you could file for a dispute on certain grounds.
Internal Scanning
Internal scanning may be self-performed or outsourced to the ASV. Internal scanning seeks to detect vulnerabilities in the internal-facing hosts in the cardholder data environment. These are performed within the IT environment, inside the network, behind business firewalls and other perimeter security devices. Organizations may utilize an intelligent web application security scanner for internal scanning.
How often to conduct Vulnerability Scanning for PCI Compliance?
As per PCI Compliance Standards, organizations are required to conduct internal and external PCI scanning quarterly or every 90 days. Apart from the quarterly scans, you must perform vulnerability scanning after major changes in the business or IT environment. The scanning reports form compliance documentation that needs to be submitted to the acquirer as per the timetable given to the organization.
If you have multiple business locations under the same tax ID, you are required to submit quarterly scanning reports by the ASV for each location.
Conclusion: Security Beyond Compliance
PCI scanning requirements provide the basic minimum that organizations need to do to protect user information. With the pace at which the threat landscape is transforming, daily vulnerability scanning and scanning after major changes are critical for all organizations to gain the first-mover advantage in cybersecurity. Further, organizations must manage the identified vulnerabilities and take measures to proactively fortify security, beyond the confines of the PCI or other compliance standards.
