What is PCI?
The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants, and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.
Network Security Scans are an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructure containing externally facing IP addresses. Scan results provide valuable information that supports efficient patch management and other security measures that improve protection against Internet hacking.
The current regulation PCI DSS v3.2 was released in April 2016 and applies to most merchants, banks and service providers on October 31, 2016. Companies compliant with previous PCI DSS v3.1 have an extended deadline and must comply by October 31, 2016.
Who has to comply?
Network Security Scan requirements apply to all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer web-based transactions, there are other services that make systems Internet accessible. Basic functions such as email and employee Internet access will result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
How often do I need to scan?
A network security scan must be completed every 90 days by an approved PCI scanning vendor. To achieve network status compliance using our PCI Compliance, all hosts must be scanned during the best practice scanning period and there can be no PCI vulnerabilities found from the scans during this period. GP PCI Compliance defines the best practice scanning period to be 30 days prior to the current day. Using Global Points PCI Compliance, you can scan your network in segments and remediate/re-scan for vulnerabilities on target IPs. Segmented scanning allows you to scan hosts that you have remediated without having to scan your entire network.
What IP addresses do I scan?
All external IP addresses must be scanned for PCI compliance.
The PCI DSS Security Scanning Procedures guide describes in detail the scope of PCI security scanning required for PCI compliance.
In this document, the section called “Scope of PCI Security Scanning” starting on page 1 states the following:
“The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. In some instances, companies may have a large number of IP addresses available while only using a small number for card acceptance or processing. In these cases, scan vendors can help merchants and service providers define the appropriate scope of the scan required to comply with the PCI. In general, the following segmentation methods can be used to reduce the scope of the PCI Security Scan.
- Providing physical segmentation between the segment handling cardholder data and other segments
- Employing appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments
Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible.”
What PCI network reports are provided?
The service provides two PCI network reports — PCI Executive Report and PCI Technical Report. The PCI reports provide similar information suitable for different workflows. The PCI Executive Report is used to submit to the acquiring bank to document PCI compliance. This report provides summary level information only. The PCI Technical Report is used to identify vulnerabilities and prioritize remediation. For this reason, the PCI Technical Report includes technical details to assist with remediation.
Where do I find out more information about PCI?
More information about PCI can be found at the following sites: