The Payment Card Industry Security Standards Council (PCI-SSC) has composed a set of 12 requirements called the PCI-DSS or Payment Card Industry Data Security Standards. Among these 12, the eleventh requirement and all its sub-sections talk about the PCI compliance scan.
In this post, we will discuss the PCI standards placed around vulnerability scanning and penetration testing. We will look at the specifications of the PCI-SSC recommended scans, and we will try to understand the benefits of PCI compliance and the repercussions of PCI non-compliance.
What is PCI-DSS?
PCI-DSS stands for Payment Card Industry Data Security Standards. As the name suggests, the PCI-DSS attempts to standardize the security policies, measures, and protocols placed by companies that collect, store, and transmit payment cardholder data.
PCI-DSS is the brainchild of the PCI-SSC, a private council of five payment card industry stalwarts – Visa, Mastercard, Discover Financial Services, American Express, and JCB International. The goal of this council is to manage the “ongoing evolution” of the payment card industry data security standards (PCI-DSS).
PCI-DSS provides businesses with comprehensive standards and structured guidelines to abide by them. It includes specifications, frameworks, tools, and measures required to keep payment cardholder data safe at all times.
What is a PCI compliance scan?
PCI compliance or PCI-DSS compliance refers to a state where your company meets the minimum security requirements recommended by the PCI SSC. Quarterly internal and external vulnerability scans are a part of your organization’s minimum requirements to get PCI-DSS compliant.
PCI-DSS compliance requires a minimum of 4 internal scans and 4 external scans in a year along with one penetration testing. A PCI compliance scan serves two purposes. One, as part of the basic PCI-DSS requirements it brings you closer to compliance. Two, it identifies vulnerabilities that can jeopardize your compliance or harm your organization as well as customers in other ways.
12 PCI-DSS Compliance Requirements
Below mentioned are the 12 requirements put forth by the PCI SSC (Payment Card Industry Standards Council) to meet PCI-DSS compliance:
- Maintain firewall configuration to protect customer credit card data.
- Don’t use the passwords set and given by vendors as a default.
- Protect customers’ credit card information.
- Encrypt the credit card information of customers across public networks.
- Have antivirus software in place and ensure it’s constantly updated.
- Develop and maintain secure systems and applications.
- Limited access to credit card information on a need-to-know basis.
- Unique IDs for everyone with computer access.
- Restriction of physical access to customer credit card data.
- Regularly test and monitor network and credit card data.
- Regular testing of your security systems and processes.
- Maintenance of policies addressing data security for all employees.
Now that we have an idea of the various requirements that need to be met by your organization for its successful compliance with PCI-DSS, let us check out the benefits of having regular PCI compliance vulnerability scans.
The Benefits Of Having Regular PCI Compliance Scans
The advantages of having a PCI compliance scan every quarter or every time there is a major change in the software are quite straightforward.
- You help your business obtain PCI DSS compliance while protecting your customers’ data by finding and fixing vulnerabilities
- Without security risks lurking around, you can run your operations in peace
- You save a bunch of money and save your business from downtime by being proactive about security
- You save the loss and humiliation of being penalized for not maintaining security standards.
- You get prepared for other compliance audits like SOC2, and HIPAA
The bottom line is that you cannot run a successful business where you collect and process payment card data, without a quarterly PCI compliance scan.
The PCI SSC actually makes it quite easy for businesses to get compliance ready. They provide you with a lot of resources to maintain the standards such as
- Lists of Qualified Security Assessors (QSAs)
- Payment Application Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
- Internal Security Assessor (ISA) education program
On top of these, you also get self-assessment questionnaires that assist you to assess your overall security posture.
Factors In Choosing The Right PCI Compliance Vulnerability Scan Partner
1. Scanning Capacity
The scanner should be able to identify a wide range of vulnerabilities across different platforms and technologies, including web applications, network devices, and operating systems. From code injections to XSS, (cross-site scripting) the right PCI compliance vulnerability scanner should have a large vulnerability database formed from known CVEs, intel, bug bounty reports, and more.
2. Accuracy In Detection
The scanner should have a high rate of accuracy in identifying vulnerabilities, without generating a large number of false positives. An ideal scanner would ensure zero false positives. This can be done by thoroughly vetting the vulnerability scan report obtained.
3. Compliance Standards
The scanner should be able to check for compliance with various regulatory standards, like PCI DSS, HIPAA, and others. An added bonus would be having a dashboard dedicated to real-time updates on areas of non-compliance obtained along with the generation of a compliance-specific scan report.
Make sure the company chosen by you for PCI penetration testing comes has experience pentesting for compliance like PCI-DSS but also for GDPR, HIPAA, ISO 27001, and more.
Ensure that the pentesters have the required qualifications that make them eligible to carry out scalable PCI pentests. This includes:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- GIAC Certified Pentester (GPEN)
- IT Health Check Service (CHECK) Certification
Make sure the PCI penetration testing cost fits well within the budget decided by your organization and comes with the features you required to successfully uphold your compliance status with PCI-DSS. It should also provide your organization with a good ROI.
The scanner should be able to handle large-scale networks, web application,s and compliance scans, and should be able to integrate with other security tools. The PCI compliance vulnerability scan provider should be able to scale their services according to the needs and scope of the customer organization.
Make sure the PCI compliance vulnerability scan services shortlisted by you provide well-detailed reports that include the various types of tests done, the findings of non-compliance, and the remediation suggestions for them.
Ensure that the PCI compliance scanner enlisted by you also provides automated remediation services and does not leave you stranded once the penetration testing is completed.
4 Tools You Can Use For A PCI Compliance Vulnerability Scan
According to section 11 of the PCI DSS, your organization needs vulnerability scans every quarter or whenever there are significant changes to your software. These scans are to be done by PCI SSC authorized third-party vendors. You cannot conduct these scans internally.
The scanner or VAPT provider you employ for this task plays a huge role in the smooth operation of the audit. We will walk you through some of the best tools for PCI compliance scanning.
Astra Pentest Plaform
The pentest platform by Astra Security combines automated scanning and manual pentesting to create a comprehensive pentest platform that does more than just find security vulnerabilities in your systems.
Using Astra’s pentest dashboard, you can monitor the vulnerabilities as they are found, assign them to your developers, follow and update their status, and even engage with security experts to find better remediation.
How does Astra help with PCI compliance scans?
For starters, Astra’s vulnerability scanner runs 3000+ test cases to scan your systems for a very wide range of vulnerabilities covering OWASP top 10, SANS 25, and all other vulnerabilities that may hinder your qualification for PCI DSS compliance.
What makes Astra’s pentest platform really special for compliance scans is the Pentest Compliance feature built into the dashboard. Here’s how it works.
Let us say, you are looking at a PCI DSS compliance audit in near future and you need to get a vulnerability scan as part of the preparation. All you need to do is put your site URL into Astra’s Pentest Platform, choose PCI-DSS from the list of compliance regulations, and run a scan.
The scanner will show you the specific vulnerabilities that are blocking your compliance with PCI DSS. This way you have more clarity in terms of resource allocation for remediation of the vulnerabilities.
Other cool features
- PCI Penetration Testing:
Astra provides both manual and automated penetration testing options. More than 3000 tests are carried out to detect, identify and exploit vulnerabilities.
Once the penetration test is finished, a suitable, well-detailed report is generated with risk scores and easy steps for remediation and prioritization.
- Zero false positives:
False positives are a great waste of time and resources. Astra ensures zero false positives with the help of vetted scans.
- CI/CD integration:
Astra’s pentest platform integrates with your CI/CD pipeline to provide continuous automated scanning. It means you never push vulnerable code.
- Actionable reports:
Astra’s pentest reports come with video PoCs for developers to easily reproduce vulnerabilities. This along with step-by-step remediation guidelines and thorough coverage of vulnerabilities and test cases used to find them, make the reports truly actionable.
- Scan behind logged-in pages:
Astra is one of the very few VAPT products that offer authenticated scanning behind logged-in pages without requiring you to re-authenticate the scanner every time the session times out.
- Business Logic Testing
At Astra, pentesters not only test for the usual vulnerabilities but also for business logic errors.
This helps you identify and remediate any business logic errors that may be affecting your business revenue.
- Contextual Support
Astra’s intuitive dashboard comes with plenty of features including real-time updates, and a comment option for quick query clearance.
Collaboration between pen-testers and developers is also possible through the dashboard for easy remediation of vulnerabilities.
- Publicly Verifiable Pentest Certificates
Once the PCI compliance scan or pentests are completed with Astra including taking successful steps for remediation followed by rescan, Astra provides its customers with a publicly verifiable pentest certificate.
This certificate is valid for 180 days from the date of receiving.
Cobalt.io is a solid pentest tool with a varied assortment of offerings. It has a specific PCI compliance service offering which is quite akin to that of Astra, except you can’t access the scan results and compliance blockers directly from the vulnerability management dashboard.
Cobalt is a more expensive tool than Astra’s pentest platform but it isn’t necessarily better.
They’ve designed the pentests to suit the common compliance frameworks. You also get collaboration sessions with pentest experts to fix the issues find during the pentest.
Intruder has an automatic vulnerability scanning engine along with manual pentest capabilities. You can use this tool for both external vulnerability scanning mandated by PCI-DSS and penetration testing.
Intruder has a simple interface and a scanner that works quite fast. However, it doesn’t have a compliance-specific scan offering. Hence, while it is a nice tool to get your external pentests done, it does nothing special for you in terms of compliance readiness.
The biggest plus point for Qualys is the way in which it makes compliance data available for auditors. It helps you inventory all IT assets on the cloud and view their security status.
Qualys vulnerability scanner helps you take care of 97% of all the PCI-DSS requirements. It also allows you to automate the PCI compliance scan process. It is a well-rounded tool for your compliance needs.
Steps In A PCI Compliance Vulnerability Scan
Penetration testing involves several steps that need to be followed in a specific order. Let’s understand what these steps are and how they are performed.
Scoping is the first step in penetration testing in which the scope is defined for the penetration testing. The scope of the testing must be defined before the start of the testing. Scope determines the limitations and rules of the testing.
- Reconnaissance & Discovery
It includes gathering information about the target network. The data collected during this step can be used to determine the attack vectors. This step also involves the identification of all the hosts in the target network and their respective services.
In this step, the attacker tries to exploit vulnerabilities in the available services to get unauthorized access to the target system. Exploitation can take multiple forms, including DoS attacks, SQL injections, or a buffer overflow.
The final step of a penetration test involves reporting all the findings to the organization. The report should contain detailed information about the vulnerabilities found in the network, their possible impacts, and recommendations to fix them.
After the remediation of the vulnerabilities, the penetration test needs to be repeated to ensure that the vulnerabilities have indeed been fixed.
Penetration Testing Or Vulnerability Scan for PCI Compliance?
You might be wondering how to choose between penetration testing or a PCI compliance vulnerability scan. Let us help you out by breaking each option down for you.
PCI Penetration Testing is currently an essential mandate put forward by the PCI-DSS, which if not carried out periodically, can lead to non-compliance. The 11th requirement by PCI-DSS “regular testing of your security systems and processes” clearly states the need for penetration testing to maintain PCI compliance.
According to PCI, penetration tests of security systems and processes deployed must be carried out annually or after every major security update. This comes with a few drawbacks, however.
Conducting yearly penetration tests can only help in the detection of vulnerabilities within that particular point in time. Allo round the year protection is therefore much more easily achieved through PCI compliance vulnerability scans.
PCI compliance scans can be automated and integrated within your security systems thus allowing you to rest easy knowing that any vulnerabilities will be immediately flagged within a shorter duration than it would be with a pentest.
How Often Must PCI Compliance Vulnerability Scans Be Performed?
Since PCI vulnerability scans are much more cost-efficient, they can be carried more regularly than a pentest i.e. weekly, daily or monthly. It is mandated by PCI-DSS that at least 4 PCI compliance vulnerability scans i.e. one vulnerability scan every 90 days should be carried out in a year.
Therefore the best option would be to opt for more regularized PCI compliance vulnerability scans while sticking to the mandatory PCI pentest on a yearly basis to ensure an easy road to PCI compliance.
What Are The Different PCI Compliance Levels?
Compliance levels are categorized into 4:
- Level 1: This is for merchants that process over 6 million transactions per year. Such merchant organizations require PCI audits and pentests yearly from PCI-authorized auditors. Along with this, these organizations must also submit PCI compliance vulnerability scans periodically from an approved scanning vendor (ASV).
- Level 2: This is for merchants that process transactions between 1- 6 million in a year. These businesses are committed to doing an assessment annually using a Self-Assessment Questionnaire (SAQ). Furthermore, a PCI scan may be required every three months.
- Level 3: This next-level PCI compliance is applied for organizations with total card transaction volumes between 20,000 and one million each year. They must complete a yearly assessment by submitting the relevant SAQ. A quarterly PCI scan can also be required.
- Level 4: Lastly, level 4 PCI compliance is reserved for businesses that carry out fewer than 20,000 debit or credit card transactions per year. These companies have to do a yearly assessment using the relevant SAQ and also a quarterly PCI scan.
The compliance requirements for PCI-DSS are incredibly detailed and stringent to an extent. Preparing for a PCI DSS audit is a stern task and it always helps if you have a reliable scan partner in your corner. Take note that PCI DSS has a penetration testing angle too. Depending on the type of your business you may be required to conduct a penetration test once or twice a year. It will save you a lot of pain if your external vulnerability scan provider has a pentest offering too.
Does a PCI compliance scan ensure PCI DSS compliance?
No. As per PCI DSS regulations, any business that collects and processes payment car information requires regular internal and external vulnerability scans as part of the compliance requirements. But compliance with PCI DSS depends on a number of other factors as well.
Is penetration testing needed for PCI compliance?
Yes, there is a PCI regulation that mandates penetration testing for applications that process and store payment card information.
What is the cost of a PCI compliance scan?
PCI compliance scans for an application start from $199 per month.