The Payment Card Industry Security Standards Council (PCI-SSC) has composed a set of 12 requirements called the PCI-DSS or Payment Card Industry Data Security Standards. Among these 12, the eleventh requirement and all its sub-sections talk about the PCI compliance scan.
In this post, we will discuss the PCI standards placed around vulnerability scanning and penetration testing. We will look at the specifications of the PCI-SSC recommended scans, and we will try to understand the benefits of PCI compliance and the repercussions of PCI non-compliance.
What is PCI-DSS?
PCI-DSS stands for Payment Card Industry Data Security Standards. As the name suggests, the PCI-DSS attempts to standardize the security policies, measures, and protocols placed by companies that collect, store, and transmit payment cardholder data.
PCI-DSS is the brainchild of the PCI-SSC, a private council of five payment card industry stalwarts – Visa, Mastercard, Discover Financial Services, American Express, and JCB International. The goal of this council is to manage the “ongoing evolution” of the payment card industry data security standards (PCI-DSS).
PCI-DSS provides businesses with comprehensive standards and structured guidelines to abide by them. It includes specifications, frameworks, tools, and measures required to keep payment cardholder data safe at all times.
What is a PCI compliance scan?
PCI compliance or PCI-DSS compliance refers to a state where your company meets the minimum security requirements recommended by the PCI SSC. Quarterly internal and external vulnerability scans are a part of your organization’s minimum requirements to get PCI-DSS compliant.
PCI-DSS compliance requires a minimum of 4 internal scans and 4 external scans in a year along with one penetration testing. A PCI compliance scan serves two purposes. One, as part of the basic PCI-DSS requirements it brings you closer to compliance. Two, it identifies vulnerabilities that can jeopardize your compliance or harm your organization as well as customers in other ways.
4 tools you can use for a PCI Compliance Scan
According to section 11 of the PCI DSS, your organization needs vulnerability scans every quarter or whenever there are significant changes to your software. These scans are to be done by PCI SSC authorized third-party vendors. You cannot conduct these scans internally.
The scanner or VAPT provider you employ for this task plays a huge role in the smooth operation of the audit. We will walk you through some of the best tools for PCI compliance scanning.
Astra Pentest Plaform
The pentest platform by Astra Security combines automated scanning and manual pentesting to create a comprehensive pentest platform that does more than just find security vulnerabilities in your systems.
Using Astra’s pentest dashboard, you can monitor the vulnerabilities as they are found, assign them to your developers, follow and update their status, and even engage with security experts to find better remediation.
How does Astra help with PCI compliance scans?
For starters, Astra’s vulnerability scanner runs 3000+ test cases to scan your systems for a very wide range of vulnerabilities covering OWASP top 10, SANS 25, and all other vulnerabilities that may hinder your qualification for PCI DSS compliance.
What makes Astra’s pentest platform really special for compliance scans is the Pentest Compliance feature built into the dashboard. Here’s how it works.
Let us say, you are looking at a PCI DSS compliance audit in near future and you need to get a vulnerability scan as part of the preparation. All you need to do is put your site URL into Astra’s Pentest Platform, choose PCI-DSS from the list of compliance regulations, and run a scan.
The scanner will show you the specific vulnerabilities that are blocking your compliance with PCI DSS. This way you have more clarity in terms of resource allocation for remediation of the vulnerabilities.
Other cool features
Zero false positives:
False positives are a great waste of time and resources. Astra ensures zero false positives with the help of vetted scans.
Astra’s pentest platform integrates with your CI/CD pipeline to provide continuous automated scanning. It means you never push vulnerable code.
Astra’s pentest reports come with video PoCs for developers to easily reproduce vulnerabilities. This along with step-by-step remediation guidelines and thorough coverage of vulnerabilities and test cases used to find them, make the reports truly actionable.
Scan behind logged-in pages:
Astra is one of the very few VAPT products that offer authenticated scanning behind logged-in pages without requiring you to re-authenticate the scanner every time the session times out.
Cobalt.io is a solid pentest tool with a varied assortment of offerings. It has a specific PCI compliance service offering which is quite akin to that of Astra, except you can’t access the scan results and compliance blockers directly from the vulnerability management dashboard.
Cobalt is a more expensive tool than Astra’s pentest platform but it isn’t necessarily better.
They’ve designed the pentests to suit the common compliance frameworks. You also get collaboration sessions with pentest experts to fix the issues find during the pentest.
Intruder has an automatic vulnerability scanning engine along with manual pentest capabilities. You can use this tool for both external vulnerability scanning mandated by PCI-DSS and penetration testing.
Intruder has a simple interface and a scanner that works quite fast. However, it doesn’t have a compliance-specific scan offering. Hence, while it is a nice tool to get your external pentests done, it does nothing special for you in terms of compliance readiness.
The biggest plus point for Qualys is the way in which it makes compliance data available for auditors. It helps you inventory all IT assets on the cloud and view their security status.
Qualys vulnerability scanner helps you take care of 97% of all the PCI-DSS requirements. It also allows you to automate the PCI compliance scan process. It is a well-rounded tool for your compliance needs.
The benefits of having regular PCI compliance scans
The advantages of having PCI compliance scan every quarter or every time there is a major change in the software are quite straightforward.
- You help your business obtain PCI DSS compliance while protecting your customers’ data by finding and fixing vulnerabilities
- Without security risks lurking around, you can run your operations in peace
- You save a bunch of money and save your business from downtime by being proactive about security
- You save the loss and humiliation of being penalized for not maintaining security standards.
- You get prepared for other compliance audits like SOC2, and HIPAA
The bottom line is that you cannot run a successful business where you collect and process payment card data, without a quarterly PCI compliance scan.
The PCI SSC actually makes it quite easy for businesses to get compliance ready. They provide you with a lot of resources to maintain the standards such as
Lists of Qualified Security Assessors (QSAs)
Payment Application Qualified Security Assessors (PA-QSAs)
Approved Scanning Vendors (ASVs)
Internal Security Assessor (ISA) education program
On top of these, you also get self-assessment questionnaires that assist you to assess your overall security posture.
The compliance requirements for PCI-DSS are incredibly detailed and stringent to an extent. Preparing for a PCI DSS audit is a stern task and it always helps if you have a reliable scan partner in your corner. Take note that PCI DSS has a penetration testing angle too. Depending on the type of your business you may be required to conduct a penetration test once or twice a year. It will save you a lot of pain if your external vulnerability scan provider has a pentest offering too.
Does a PCI compliance scan ensure PCI DSS compliance?
No. As per PCI DSS regulations, any business that collects and processes payment car information requires regular internal and external vulnerability scans as part of the compliance requirements. But compliance with PCI DSS depends on a number of other factors as well.
Is penetration testing needed for PCI compliance?
Yes, there is a PCI regulation that mandates penetration testing for applications that process and store payment card information.
What is the cost of a PCI compliance scan?
PCI compliance scans for an application start from $199 per month.