.svg)
As businesses increasingly rely on digital platforms for transactions, the importance of securing payment information increases. Payment Card Industry (PCI) compliance scans are needed to safeguard sensitive financial data, and understanding PCI compliance scanning is crucial for businesses.
PCI compliance scanning is the testing of systems/networks for security vulnerabilities to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS requirements ensure that companies that accept, process, store, or transmit credit card data maintain a secure environment.
In this blog, we'll delve into the intricacies of PCI DSS scanning requirements, explore their significance, who is involved, the process, and why vulnerability management is indispensable for maintaining a secure online payment environment.
PCI DSS Requirements
PCI compliance scans are required for organizations that handle credit card transactions. PCI Compliance scans help organizations meet the requirements of the PCI DSS and enhance the overall security of payment card transactions. Non-compliance can result in reputational damage, legal consequences, and fines.
Entities subject to PCI Compliance Scanning include:
1. Merchants: Any organization that accepts, processes, stores, or transmits credit card information is subject to PCI DSS requirements. This includes retailers, online merchants, and other businesses that handle credit card transactions.
2. Service Providers: Companies that provide services that handle payment card data on behalf of other businesses are also subject to PCI DSS requirements. This includes payment gateways, hosting providers, and other service providers with access to payment cardholder data.
PCI Scanning Process
PCI Compliance Scans are conducted by an Approved Scanning Vendor (ASV) on behalf of a client. Organizations must use an ASV, which is a third-party service provider qualified by the PCI Security Standards Council (SSC), to conduct external vulnerability scans.
Reporting
After a vulnerability scan, the ASV will provide a detailed report outlining the findings. This report will include information about identified vulnerabilities, their severity levels, and recommendations for remediation.
Remediation
Organizations must promptly address vulnerabilities and issues identified in scan results, and on an ongoing basis, to uphold the appropriate level of security and maintain the environment in compliance with PCI DSS.
Re-Scanning
In some cases, especially if significant changes are made to the environment, a re-scan may be required to ensure the identified vulnerabilities have been properly addressed.
Documentation
Organizations must maintain documentation demonstrating compliance with PCI DSS requirements, including evidence of remediation actions taken.
Achieving and maintaining PCI compliance is an ongoing process. Regularly scheduled PCI Compliance scans and a repeatable scanning process will help organizations identify and address security vulnerabilities to ensure the protection of cardholder data.
Merchant and Service Provider Levels
The payment card brands define merchant and service provider levels and corresponding compliance obligations based on annual transaction volume and the nature of cardholder data environments.
Merchants and service providers fall into one of these classifications, which dictates the specific compliance requirements an organization must fulfill to maintain PCI DSS compliance and ensure the security of cardholder data.
Organizations must report on their PCI DSS compliance to relevant parties such as acquiring banks, payment processors, or other entities involved in the payment card ecosystem.
Please see the two tables below:
| Merchant Level | Description | Requirements |
|---|---|---|
| Level 1 | Merchants processing over 6 million transactions per year or merchants deemed as Level 1 by any card brand. | - Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) - Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) - Annual Penetration Test |
| Level 2 | Merchants processing 1 to 6 million payment card transactions per year. | - Annual Self-Assessment Questionnaire (SAQ) - Quarterly network vulnerability scans by an ASV - Annual Penetration Test |
| Level 3 | Merchants processing 20,000 to 1 million Visa e-commerce transactions per year or less than 1 million transactions on the Discover network regardless of acceptance channel. | - Annual SAQ - Quarterly network vulnerability scans by an ASV |
| Level 4 | Merchants processing fewer than 20,000 Visa e-commerce transactions per year or all other merchants processing up to 1 million Visa transactions per year. | - Annual SAQ - Quarterly network vulnerability scans by an ASV |
| Service Provider Level | Description | Requirements |
| Level 1 | Service providers processing more than 300,000 transactions annually or service providers deemed as Level 1 by any card brand. | - Annual ROC by a QSA - Quarterly network scans by an ASV - Twice-a-year Penetration Test |
| Level 2 | Service providers processing less than 300,000 transactions annually. | - Annual SAQ - Quarterly vulnerability scan by an ASV - Twice-a-year Penetration Test |
The compliance requirements and self-assessment questionnaire (SAQ) type for each level vary depending on the nature of the organization's cardholder data environment and the specific payment channels used.
PCI DSS Requirement 11
PCI DSS Requirement 11 specifically addresses vulnerability scanning. Key points to understanding the vulnerability scanning obligations under PCI DSS requirement 11 include:
1. Regular (and at Least Quarterly) Scanning
2. Internal and External Scans
3. Approved Scanning Vendor (ASV)
4. Immediate Remediation
5. Documentation
Regular Scanning
Organizations must perform regular internal and external network vulnerability scans. The frequency of these scans depends on the organization's risk assessment but should be conducted at least quarterly or after any significant changes to the network. [11.1, 11.2, and 11.3]
Internal and External Scans
Both internal and external network scans are required. External scans focus on identifying vulnerabilities that could be exploited from outside the network, while internal scans look for vulnerabilities from within the internal network. [11.3]
Approved Scanning Vendor (ASV)
Organizations must use an ASV, which is a third-party service provider qualified by the PCI SSC to conduct external vulnerability scans. [11.3]
Immediate Remediation
Any vulnerabilities identified must be addressed and resolved. The organization must have processes in place to address and remediate vulnerabilities in a timely manner. [11.5 and 11.6]
Documentation
Organizations must maintain documentation that demonstrates compliance with the scanning requirements. This includes scan reports, remediation reports, and evidence of corrective actions taken. [11.1, 11.2, 11.3, 11.5, and 11.6]
PCI DSS requirements may be updated over time, and organizations should refer to the latest version of the PCI DSS standard for the most accurate and current information. Additionally, compliance requirements and interpretations may vary, so it's recommended for organizations to consult with a PCI Qualified Security Assessor (QSA) or the PCI SSC for guidance specific to their circumstances.
VikingCloud PCI Compliance Services
VikingCloud is trusted by many of the most respected companies to help them maintain compliance and ensure the highest security to avoid disruptions to their business. The VikingCloud team is available to discuss our PCI compliance solutions and PCI compliance for small businesses. Contact the team for more information.
.png)