The Payment Card Industry’s (PCI) Security Standards Council (SSC) requires companies who process card and electronic payments to maintain compliance with regulations that protect cardholder data. To demonstrate that they continually comply with the Data Security Standard (DSS) and any other applicable standards, companies must pass a quarterly PCI compliance scan conducted by an Approved Scanning Vendor (ASV). Continue reading for a walkthrough and preparation tips regarding how to pass PCI compliance scan testing.
Passing Your PCI Compliance Scan
Simply put, passing your PCI compliance scan involves demonstrating adherence when tested on the 12 PCI DSS Requirements. These Requirements govern the storage and transmission of cardholder data. Conducted quarterly or following significant network infrastructure changes, a PCI compliance scan tests for external and internal vulnerabilities to ensure all cardholder data remains protected throughout payment processing.
The steps companies must take to pass their four scans per year include checking for vulnerabilities outside their network for all public-facing payment functionality as well as for weak points within their network structure that may be exploited during a data breach.
A checklist you can use to prepare for passing your PCI compliance scan covers identifying any:
- Vulnerable data transmissions between web applications
- Non-compliant cardholder data disclosures that include sensitive information (e.g., name, address, and credit card numbers)
- Exploitable gaps in SQL Injection and Cross-site Scripting (XSS) protection
- Improper authentication processes or access authorizations
- Flawed web server or web access security
- Out-of-date or deficient product upgrades
What are the PCI SSC and DSS?
The PCI SSC describes itself as “a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.” The PCI SSC created the DSS to standardize the processes and protections used to minimize merchant-based vulnerabilities.
If your company stores, processes, or transmits credit card data, the DSS Requirements and a quarterly PCI compliance scan apply to your organization.
The 12 Requirements Specified by PCI DSS v3.2.1
The PCI DSS’s six Goals and 12 Requirements outlined in the latest version (PCI DSS v3.2.1) for applicable companies state the following:
- Goal 1 – Build and maintain a secure network, which requires:
- Requirement 1 – Install a firewall configuration and maintain it to protect cardholder data.
- Requirement 2 – Change the vendor-supplied defaults for system passwords and other security parameter configurations.
- Goal 2 – Protect all sensitive cardholder data, which requires:
- Requirement 3 – Protect any stored cardholder data.
- Requirement 4 – Encrypt cardholder data for secure transmission across open, public networks.
- Goal 3 – Maintain a vulnerability management program, which requires:
- Requirement 5 – Implement and update anti-virus software and similar security programs.
- Requirement 6 – Maintain security for all developed systems and applications
- Goal 4 – Implement robust access control measures, which requires:
- Requirement 7 – Restrict business access to cardholder data on a “need-to-know” basis.
- Requirement 8 – Assign a unique identifier for each individual with access to company computers.
- Requirement 9 – Eliminate physical access to cardholder data outside of necessary occurrences.
- Goal 5 – Regularly monitor and test networks, which requires:
- Requirement 10 – Monitor and log all access instances related to network resources and cardholder data.
- Requirement 11 – Test security systems and processes regularly.
- Goal 6 – Maintain an information security policy, which requires:
- Requirement 12 – Maintain a policy that oversees information security procedures and specifications for all employees and contractors.
PCI DSS v4.0
Although the most current version of the PCI DSS is v 3.2.1, the SSC is actively working on the release of PCI DSS v4.0. The SSC will provide an 18-month extended transition period to allow companies to update their compliance efforts accordingly. The SSC intends to publish v4.0 in Q1 of 2022, and companies subject to the Requirements should begin familiarizing themselves with the expected updates and preparing for their implementation.
Preparing for PCI Compliance
Your preparatory efforts prior to a PCI compliance scan should focus on identifying any vulnerabilities in your network security and organizational processes as specified in the DSS’ 12 Requirements. While some self-evaluation tools exist, the scan must be carried out by a PCI SSC-approved third-party firm.
When scheduling your PCI compliance scan, ask the third-party firm for any tips they can provide and know that a scan revealing security infrastructure that does not pass the Requirements will outline areas to address in the results.
In addition to contacting an Approved Scanning Vendor (ASV), consider the following tips:
- Schedule your scanning and prepare to submit results well before submission deadlines approach, ideally 30 days or more.
- Skew your scan schedule away from typical calendar dates used for quarterly processes to avoid overburdened ASV queues.
- Prepare to answer any security and process questions ahead of time, as your ASV will likely require references to additional information before attesting to your PCI compliance.
Approved Scanning Vendors: What Do They Do?
ASVs facilitate the PCI compliance scan process via the utilization of a scan solution. The PCI SSC tests and approves all scanning solutions before listing a third-party firm as an ASV. Approved scanning vendors—such as RSI Security—may be found on the PCI SSC’s curated list.
Scanning Procedures—External and Internal
PCI compliance scans evaluate both external and internal vulnerabilities, specifically as they relate to credit cards and the exploitation tactics malicious agents employ to access their sensitive data. While both scans evaluate network and organizational process security, they focus on different areas where vulnerabilities may be present:
- External scanning – External scans probe for weaknesses found in your network’s firewall and public-facing infrastructure, including:
- Exploitable gaps
- Unidentified IP addresses accessing your network
- Time-sensitive security lapses
- Out-of-date encryption protocols (e.g., legacy TLS or SSL)
- Unsecured transfer protocols responsible for malicious data collection
- Internal scanning – Internal scans analyze your network infrastructure from the perspective that malicious insiders and improper identity and access management (IAM) processes count among companies’ most significant security risks:
- Disgruntled current or former employees who utilize otherwise compliant access authorizations to conduct malicious activity.
- Instances of “permission bloat,” which typically occur when user access to systems, applications, and data is not subjected to periodic re-evaluation and accumulates over time to non-compliant levels.
Successful intruders may also use any vulnerabilities caught by internal scanning to breach your network infrastructure further and access sensitive data. For example, if an intruder successfully disguises themselves as a company employee who retains unnecessary or non-compliant access authorizations, they may remain undetected for prolonged periods.
Once the scans are complete and an ASV has certified your PCI compliance, your company will likely need to self-report the results to the PCI SSC.
While most companies will report self-assessments and a quarterly PCI compliance scan conducted by an ASV, those that process more than six million transactions annually, regardless of channel, must submit to on-site PCI assessments. Companies that fall into this category are referred to as “Level 1.” The other three PCI levels are not required to undergo on-site assessment.
Pass Your Upcoming PCI Compliance Scan
The best tactic your company can take to pass a quarterly PCI compliance scan is to contact your ASV—such as RSI Security—early on in the process. You may then schedule testing, ask for any preparation advice, and allow yourself enough time to address any revealed weaknesses before your submission deadline.
In addition to offering assistance with PCI compliance, RSI Security also provides compliance advisory packages and tailored services, such as cloud security or penetration testing, for adhering to government and industry compliance regulations.
Contact us today to speak with RSI Security’s compliance and cybersecurity experts.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.