PCI DSS: Security Scanning Procedures

Merchant and Service Provider Scanning Requirements

PCI Security Scans provide merchants and service providers with invaluable information concerning their network system and work hand-in-hand with a comprehensive vulnerability management program.

PCI approved scans can help a merchant or service provider find misconfigurations of Web sites, applications and IT infrastructures with Internet-facing IP addresses

The results of a PCI approved scan can provide knowledge that can lead to efficient patch management and other security measures that can rectify problems and improve protection against future Internet attacks.

The following is an overview of the basic scanning requirements for merchants, service providers and ASVs:

• Internet-facing IP Addresses--Merchants and service providers must scan their web sites or IT infrastructures that have externally facing IP addresses. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible.
  
  
• Domain-based virtual hosting-- Provide the ASV with a list of all domains that should be scanned if domain-based virtual hosting is used.
  
  
• Defining the scope of the scan-If an organization has a large number of IP addresses, but they only use a small number for card acceptance or processing, the ASV can help the merchant or service provider define the scope of the network scan.
  
  
• Applying segmentation-To reduce the scope of the network scan, an ASV can actually help the merchant or service provider segment the IP addresses in one of two ways: (1) by providing physical segmentation between the segment handling cardholder data and other segments, and (2) by employing appropriate logical segmentation where traffic is prohibited.
  
  
• Filtering devices-- The ASV must scan all filtering devices such as firewalls or external routers (if used to filter traffic). Firewalls and routers, used to establish a demilitarized zone (DMZ) must also be scanned for vulnerabilities.
  
  
• Web Servers-Internet users view Web pages, and/or buy merchandise through Web merchants via a Web server. Because these servers are fully accessible from the public Internet, scanning for vulnerabilities is essential.
  
  
• Application Servers-When a cardholder sends account numbers in a transaction with a merchant or service provider, the application server is the actual interface that allows data to be transferred in and out of a network via backend databases. The ASV must scan application servers, or the Web server itself, when it's configured to act as an application server.
  
  
• Domain Name Servers (DNS)-The DNS server is the server that translates domain names into IP addresses. A merchant or service provider either uses the DNS provided by an Internet Service Provider (ISP), or their own DNS. Either way, an AVS must scan all DNSs, because hackers can create a fake merchant or service provider Web site, and ask for and collect credit card data fraudulently on behalf of the organization.
  
  
• Mail Servers-ASVs must scan mail servers, as mail servers are routinely vulnerable to hacker attacks.
  
  
• Scan all Load Balancers-If merchants or service providers use a load balancer to spread the traffic load to more than one server, then they should scan all of the individual servers behind the load balancer.
  
  
• Virtual Hosts-If a merchant or service provider shares a server through a Web hosting company, then they are also sharing that server with the other customers of that Web hosting company. It's the merchant or service provider's responsibility to request that their hosting company provide a scan of their entire Internet-facing IP range and demonstrate compliance, while the merchant or service providers are required to have their own domains scanned by an ASV.
  
  
• Wireless Access Points-Wireless LANs (WLANs) set up data security risks-like misconfigurations-that need to be identified and resolved. The ASV must scan wireless access points in wireless LANs (WLANs), along with other wireless components that are connected to the Internet.
  
  
• Intrusion detection and prevention-Merchants and service providers must configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not feasible, the scan should originate in a location that prevents IDS/IPS interference.

Vulnerability Levels

Based on the results of the network scan, ASVs produce an exhaustive report that describes the following:

• Vulnerability type or risk
• Diagnosis of issues linked to the vulnerability type
• Consult on how to fix or patch the isolated vulnerabilities
• Assign a rating for vulnerabilities

Each ASV may have a distinctive method of reporting vulnerabilities, but all high-level risks will be reported consistently to ensure a fair and consistent compliance rating.

In order to be PCI DSS compliant, or compliant with any card brand program, a scan must not contain any vulnerability concerning features or configurations that are a PCI DSS violation.

If the ASV determines that these exist, the ASV meets with the merchant or service provider to determine if these are really PCI DSS violations. If so, the ASV issues a noncompliant scan report.

High-level vulnerabilities are designated as level 3, 4, or 5.

Level 5 Vulnerabilities Level 5-Urgent-With this level of vulnerability, hackers can compromise the entire host. This vulnerability type allows hackers to have complete access to full file-system read and write capabilities, remote execution of commands as a root or administrator user, as well as the presence of backdoors and Trojans.

Level 4 Vulnerabilities

Level 4-Critical-Gives hackers partial access to file-systems and also provides them with remote user capabilities. These vulnerabilities expose highly sensitive information.

Level 3 Vulnerabilities

Level 3-High-Gives hackers access to information stored on the host, including security settings. It sets up misuse of the host by intruders. Examples include access to specific files, denial of service attacks, directory browsing, mail relaying.

Level 2 Vulnerabilities

Level 2-Medium-Gives hackers a chance to research attacks against the host, and access to some sensitive information from the host, such as exact versions of services.

Level 1 Vulnerabilities

Level 1--vulnerabilities expose information, such as open ports. Information can be obtained by hackers on configuration.

Suggested Links:
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

                    

Print this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance Step 1: An Introduction to PCI Compliance PCI Compliance Introduction Who Put the DSS in PCI? Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Should Your Organization be Concerned about PCI Compliance? PCI DSS: The Visa CISP Program MasterCard SDA Program Defining Merchant Validation Levels Level 4 Merchant Compliance Visa PCI CAP Program Defining Service Provider Validation Levels Acquirer Responsibility Calculating Merchant Transactions PCI DSS: Visa and MasterCard Quick Reference Guide Step 3: Attaining PCI DSS Compliance-Merchant Security Audits: 12 Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Do You Need an ASV? Merchant and Service Provider Scanning Requirements Compliance Reporting Visa and Compliance Reporting MasterCard and Compliance Reporting Step 5: Completing the PCI DSS Self Questionnaire Completing the PCI DSS Self Questionnaire PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: