The Payment Card Industry Data Security Standards (PCI DSS) requires the merchants dealing with credit card holder data to perform regular vulnerability scans, in order to keep their security flaws covered. Merchants often come with a question, “When do you need to run a PCI Scan?” the answer to this question is quite simple.
What are the Requirements of the PCI DSS for Vulnerability Scans?
In order to know when the PCI Scan is required, we should know about the PCI DSS requirements first. The PCI DSS requires merchants to run both “Internal and External” vulnerability scans, in order to keep the credit card holder information system up to current security standards.
External Scans: External scans should be conducted from the outside of the organization and must include all the external IP addresses. These scans will help you to know about vulnerabilities in your security system that might be breached by the hackers to get hold of the sensitive credit card holder data.
Internal Scans: Internal scans must be performed from inside the organization’s network from multiple locations to know about the security system within the card holder data environment.
These scans will point out flaws and will give you a review of your internal security that might get exploit by attackers, once they get their hands on it.
When is a PCI Scan required?
PCI scan must at least be performed on quarterly basis. To make the system extra secure the quarterly scans should be supplemented with scans in between quarters; other than this, it is necessary to perform scans whenever any changes are made to the card holder data system.
Can I Perform the Scans?
The answer to this question is both yes and no. You might be able to perform all the internal scans to meet the internal scan requirements; but the PCI DSS needs you to use Approved Scanning Vendor (ASV) for external scans. If you want to do internal scans on your own then do make sure that the scans are performed by qualified staff members; who are independent from the staff responsible for your security systems.
Every single merchant, apart from being of any merchant level, having an external IP address must go through vulnerability scans as guided above. This has become quite confusing in the security community and a lot of people believe that level 4 merchants (those processing less than 1,000,000 annual transactions) do not need to go through such scans. This is not true at all as charted in MasterCard’s Site Data Protection program requirements and Visa’s Card holder Information Security Program requirements.
What does PCI DSS Vulnerability Scans include?
Scans conducted by Approved Scanning Vendor (ASV) must have following characteristics:
Should be non-disruptive and must not include Denial of Service (DOS) or abundance of buffering that might result in trouble in merchant’s business.
Host discovery element must be included in the scan to search for live systems in the network.
Service discovery element must be present in the scan to include both UDP and TCP port scans on every live system.
Scans should be able to account for IDS/IPS systems and load balancers and give an accurate view about the security environment of customer, even with the presence of these devices.