PCI DSS Vulnerability Scanning Requirements
The Payment Card Industry Data Security Standard (PCI DSS) requires that merchants accepting credit cards conduct regular vulnerability scans of their environment in order to identify potential security flaws. Merchants often have questions about the scanning requirements and we provide the answers to some of the most commonly asked questions below.
What vulnerability scans does PCI DSS require?
PCI DSS requires that merchants perform both internal and external vulnerability scans on a regular basis to ensure that your cardholder data environment meets current security standards. The standard requires two different types of vulnerability scan:
External scans should be performed from outside your organization’s network and include all of your external IP addresses. These scans provide you with a view of the vulnerabilities that a hacker might exploit to gain an initial foothold on your network.
Internal scans should take place from a sufficient number of locations within your network to assess the security posture of all systems within the cardholder data environment. This provides an internal view of your security and points out flaws that an attacker could exploit after gaining initial access to your network.
How often are PCI DSS vulnerability scans required?
You must perform vulnerability scans on at least a quarterly basis and supplement those quarterly scans with additional scans whenever there are significant changes to your cardholder data environment.
On a more practical note, most organizations perform these scans on a much more regular basis (usually daily or weekly), preferring to have immediate notice when a new vulnerability arises. They simply document one of these scans every quarter as the “official” PCI DSS scan.
Can we perform the scans ourselves?
Yes and no. You may perform your own scans to meet the internal scanning requirements, but PCI DSS requires that you use an Approved Scanning Vendor (ASV) for your external scans. If you do perform your own internal scans, you must ensure that the scans are performed by qualified trained staff members who are organizationally independent from those responsible for the security of your systems.
What merchants are required to undergo vulnerability scans?
All merchants, regardless of merchant level, who have external IP addresses must undergo vulnerability scans according to the schedule outlined above. This is a source of much confusion in the security community and many people believe that level 4 merchants (those who process less than 20,000 e-commerce transactions and less than 1,000,000 total transactions annually) are not required to undergo scans. This is not correct, as outlined in Visa’s Cardholder Information Security Program requirements and MasterCard’s Site Data Protection program requirements.
What do these PCI DSS vulnerability scans include?
Scans performed by approved scanning vendors must meet the following general characteristics:
1) They must be non-disruptive and should not include denial of service (DoS) or buffer overflow attacks that might disrupt the merchant’s business.
2) The scan must include a host discovery element that searches the network for live systems.
3) The scan must include a service discovery element that includes both TCP and UDP port scans on all live systems.
4) OS and service fingerprinting must take place to identify the operating characteristics of live systems to the extent practical.
5) Scans must be able to account for load balancers and IDS/IPS systems and provide an accurate view of the customer’s security environment even when these devices are present.
For more information on the specific requirements for ASV scans, see the ASV Program Guide.
What will the auditors be looking for when they audit my PCI DSS vulnerability scans?
If you are audited, the auditors performing your PCI DSS assessment will look for the following evidence:
1) Evidence that both internal and external vulnerability scans took place for each of the previous four quarters
2) Evidence that the internal scanning process includes rescans until all “High” vulnerabilities are corrected and the scan provides passing results
3) Evidence that the external scanning process meets the ASV program requirements for passing, including no vulnerabilities with a CVSS score higher than 4.0
4) Evidence that the internal scans were performed by an approved scanning vendor, a firm specializing in vulnerability scanning or a qualified trained staff member not responsible for the security of your systems
5) Evidence that the external scans were performed by an approved scanning vendor
6) Evidence that scans were performed after any significant changes to the cardholder environment