All companies that take or otherwise involve payments via credit card expose themselves and their stakeholders to various threats of cybercrime. Cardholder information is some of the most sensitive and valuable data a hacker can get his or her hands on. It enables direct theft of the cardholder’s assets, as well as various other potential fraud or extortion schemes.
The worst part? These schemes can target your clientele and your company itself.
That’s why the Payment Card Industry (PCI) in charge of managing credit cards has established a Security Standards Council (SSC) that helps keep you and all cardholders safe. Conducting regular vulnerability scans, you can identity and eliminate cyberthreats of all kinds.
Let’s discuss.
What Does a PCI Vulnerability Scan Look For?
Any and all gaps in your cyberdefense that a savvy hacker could exploit.
A thorough vulnerability scan is one of the best ways to identify ports of entry into your systems. These may be related to poor planning or execution on behalf of your company, or they may be the result of matters outside your control. In either case, the only way to resolve them is to know what they are. A vulnerability test provides you with detailed documentation of what’s wrong.
But that’s not all. A thorough vulnerability test will also identify not just current weaknesses you need to worry about in the short term, but also potential issues that may manifest over time.
In short: a vulnerability test is an analysis of all the cybersecurity threats your company faces. In the following sections, we’ll go over what types of threats different kinds of vulnerability tests uncover, as well as how these relate to PCI’s guidelines for cybersafety.
But first, let’s settle the question you’re probably asking:
Assess your PCI compliance
Do You Need a PCI Network Vulnerability Scan?
Yes. If you want (need) to comply with PCI, the answer is yes.
A PCI vulnerability scan doesn’t just assess the risks your company is facing in a vacuum. It assesses them in the specific context of credit cards and the particular exploitations most common to companies that process them.
In fact there are specific levels of danger that your company faces depending on the volume of transactions it processes. The levels determine how necessary testing is, as well as who needs to verify the validity of the tests.
The four levels break down like this:
- Level 1 – Companies in the highest tier process over six million transactions annually, across all channels, including both physical locations and e-commerce sites.
- Level 2 – The second-highest level is for companies processing one million to 5,999,999 transactions annually across all channels.
- Level 3 – The second-lowest level includes all companies that process between 20,000 and one million transactions annually, across all channels.
- Level 4 – Companies that process fewer than 20,000 transactions annually, across all channels, fall into the lowest level.
Companies at the three lowest levels must self-assess vulnerabilities annually and undergo scans from an approved scanning vendor (ASV) 0 quarterly. However, companies at level one must submit to on-site assessments by PCI instead of self-assessments.
So, yes: you need to conduct vulnerability scans.
Let’s get into what exactly they entail.
Download Our PCI DSS Checklist
Types of Vulnerability Scans
PCI vulnerability testing is not a monolith. There are several distinguishing factors that differentiate various different kinds of tests you can conduct.
On the one hand, as noted just above, there are vulnerability scans you can perform yourself, as well as scans that can be conducted by an impartial third party. While there are major differences between these two, they have more to do with compliance requirements than with the actual test itself.
On the other hand when it comes to vulnerability testing there are two main varieties to consider: whether you are self-assessing or bringing in professional help:
- External vulnerability scan
- Internal vulnerability scan
Each of these types reveals unique threats from outside of or within your company, respectively.
Self-assessment isn’t different from having an ASV test you, in terms of what can be found. We’ll cover the major benefits and specifications of ASVs below. But first, let’s go over the different kinds of tests that can be performed, along with what they’re designed to find.
External Vulnerability Scan
As the name suggests, an external vulnerability scan measures threats from the outside.
Specifically, external vulnerability scans are designed to locate and identify any and all issues with your firewall and other external cybersecurity measures. This can include even the most (seemingly) minute or remote issues. The bigger the company, the more potential loopholes.
What kinds of threats might an external scan uncover? Some include:
- Exploitable holes in firewalls
- Unidentified or unmonitored IP access
- Patterns of time-sensitive lapses in security
- Deprecated cryptographic protocols (older TLS, SSL)
- Malicious data collection from unsecured transfer protocols
No matter how external or distant these threats may seem, they can all lead to serious complications. Any of these vulnerabilities could give a malicious actor access to your internal networks and systems.
Which brings us to…
Internal Vulnerability Scan
Internal vulnerability scanning takes an entirely different approach.
Rather than analyzing all the potential ways that a hacker can infiltrate your systems, internal scanning focuses on the threats already posed from within. In practice, internal vulnerability scanning does provide insights on what someone might do once inside.
But it’s also focused on preventing attacks that originate from within.
That means that internal vulnerability scans are an ideal way to safeguard against attacks from individuals like:
- Disgruntled current or former employees of your organization
- Clientele whose user accounts offer too much access
Internal scans are the key to identifying neglected software updates and other vulnerabilities that anyone with insider access would be privy to. Shoring up these defenses is the best way to insulate yourself from the most insidious threats.
Keeping up with patches and updates is also a key component of PCI compliance, which is another main element of why PCI vulnerability testing is so important.
PCI Vulnerability Scan Requirements
Ultimately, a PCI vulnerability scan is a test of your PCI compliance. What it’s looking for is whether or not you follow the requirements of the PCI.
Specifically, it’s a test of the extent to which your company complies with the PCI Digital Security Standards (PCI DSS). The PCI DSS, first published in 2004, is now in version 3.2.1, published in May of 2018. A new edition, version 4.0, is expected to be published later on in 2020.
What does the DSS cover? Nearly everything.
The DSS is a comprehensive guide that, if followed completely, will ensure the safety of cardholder’s data—and your company, by extension.
The Master List: PCI DSS Requirements
While the requirements of the PCI DSS have changed over time, their core focus and priorities have remained the same. Collectively, they offer a diverse range of protections for various facets of your business that involve cardholder information directly or indirectly.
The requirements, twelve in total, are distributed relatively evenly across six main categories:
- Build and maintain a secure network and systems – These foundational requirements set the stage for cybersecurity by insulating your systems from outside threats:
- Requirement 1: Install and actively maintain firewall protections in order to safeguard all cardholder data from external access
- Requirement 2: Immediately disable all vendor-supplied default passwords or other system defaults; disallow their use under any circumstances
- Protect cardholder data – These requirements involve the safeguarding of cardholder data both in internal storage and in transmission to and from external systems:
- Requirement 3: Protect all stored cardholder data through truncation, encryption, and various other methods
- Requirement 4: Also guarantee safety of all data transmitted across public networks with encryption, preventing interception
- Maintain a vulnerability management program – The most intimately tied to vulnerability scanning, these requirements entail leveraging third-party software to keep you safe while also keeping that software secure and up-to-date:
- Requirement 5: Safeguard all systems against malware, including regular updates to all antivirus software
- Requirement 6: Ensure safety of systems and applications through immediate integration of all security patches and updates
- Implement strong access control measures – Building on the first two requirements, this batch involves detailed specifications for authenticating and controlling access to your networks and systems:
- Requirement 7: Thoroughly restrict access to cardholder data, limiting access on the basis of business need to know
- Requirement 8: Implement rigorous identification and authentication practices for access to all systems and assets
- Requirement 9: Actively monitor and restrict all physical points of and paths to access of cardholder data
- Regularly monitor and test networks – Also directly related to the process of vulnerability testing, these requirements involve detailed data collection and analysis of all activity involving sensitive data:
- Requirement 10: Diligently monitor and track all access to network resources and cardholder data; maintain and secure all system logs
- Requirement 11: Regularly test all security processes and systems
- Maintain an information security policy – Finally, the last category acts as an umbrella, encompassing all other requirements and unifying them in an explicit policy:
- Requirement 12: Actively maintain information security policy, disseminating it to all personnel and stakeholders with regular training and support
When a vulnerability test is conducted, any and all vulnerabilities found will belie faults in your system relative to the requirements above. A thorough test will not only be able to identify a threat, but pin-point it to the specific requirement it relates to. Thus, you’ll immediately know what needs to be done to patch up the gap in your cyberdefense.
But for that to happen, you’ll need the help of an…
Approved Scanning Vendor: Your Guide to Compliance
Above, we noted that you can conduct vulnerability scans yourself, but you’re also required to have these tests conducted on your business by an ASV, an approved scanning vendor. What makes an ASV so special, and how are their tests different?
Simply put, an ASV has been accredited by the PCI SSC by proving that they will uphold a set of principles and best practices, including but not limited to:
- Determining propriety and which components should be included in the scan
- Scanning every appropriate IP address, domain, component, etc.
- Assessing and documenting PCI compliance, based on the requirements listed above
- Retaining all relevant scan data for three years, as required by the PCI SSC
- Not impacting the normal operation of the scan customer environment
This last point is one of the most important.
It’s also one of the biggest differences between vulnerability scanning and another, similar tool for analyzing your cyberdefense: penetration testing.
Vulnerability Scans Vs. Penetration Tests
A common misconception is that a vulnerability scan is the same thing as a pen test. And, while these two types of cybersecurity analysis are similar, they bear some important differences in terms of goals and methods.
Pen testing is a form of ethical hacking that actually opens your business up to simulated risks.
Like vulnerability scans, pen tests also incorporate both internal and external elements. And they ven map onto the differences between internal and external vulnerability scans:
- External pen testing attempts to break into your systems, exposing weak points
- Internal pen testing measures what a hacker can do once inside
The biggest difference? Theory vs. practice.
A vulnerability scan merely identifies the weak points in your system. Any paths, chains of events that might occur, are assumed. A pen test actually exploits these weaknesses, showing you how a hacker would attack you in real time.
RSI Security is a one-stop shop for PCI compliance, pen testing, and all cybersecurity.
Minimize Vulnerability, Maximize Cyberdefense
…with RSI Security!
Here at RSI Security, it’s our mission to help businesses like yours with all elements of cybersecurity. That includes vulnerability scanning and overall compliance, with PCI and all other regulatory codes you need to adhere to (HIPAA, NERC CIP, CMMC, etc.).
Our robust PCI advisory services are an all-in-one solution that helps you:
- Assess and attain compliance
- Identify and patch any and all vulnerabilities
- Establish a plan for compliance over the long-term
We’re a fully accredited ASV with over ten years of experience helping over 250 clients achieve PCI compliance. But that’s not all. We know compliance is just the beginning of cybersecurity. That’s why we also provide a bevy of other cybersecurity solutions for any and all issues your company may be facing. You can trust us to keep you safe.
Contact RSI Security today to optimize your cyberdefenses.
Schedule a free consultation