PCI DSS Scanning
Requirement 11.2 of the Payment Card Industry Data Security Standard (PCI DSS) describes the need to run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
Vulnerability scanning for PCI DSS v3.2 compliance
Conducting vulnerability scans helps identify vulnerabilities and misconfigurations of websites, applications, and IT infrastructures with Internet-facing IP addresses.
Scan results provide valuable information that supports efficient patch management and other security measures that improve protection of the cardholder data environment (CDE) against attacks.
The importance of scanning for PCI
Firewalls have to leave certain ports open for the operation of web, mail, FTP and other Internet-based services – leaving you vulnerable to exploitation. Vulnerability scans – when correctly configured – can help identify these weaknesses and recommend how to fix them.
At a high level, scanning tools run a series of if-then scenarios that are designed to identify system settings or actions that could lead to vulnerabilities. A completed scan will provide a logged summary of alerts for you to act on. Unlike penetration testing, a vulnerability scan does not exploit vulnerabilities in your network.
To pass a PCI DSS ASV attestation, all items listed as critical, high or medium (or with a CVSS score of 4.0 or higher) and certain findings that are considered “automatic failure” must either be remediated or disputed by the customer.
How does scanning fit into my PCI project?
Requirement 11.2 of the PCI DSS covers scanning. It states that you need to “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.” Scans need to be run by qualified internal or external parties.
Our ASV scanning solution
Powered by Comodo, our HackerGuardian scanning service performs highly accurate scanning of your externally facing systems as required by the PCI DSS. It runs more than 60,000 tests on your organisation’s servers and network and provides clear advice on how to fix any security vulnerabilities.
Speak to an expert
Please contact us for advice and guidance on our products and services.