An ongoing requirement of the PCI compliance process involves having your payment card environment scanned for security vulnerabilities. For most businesses, PCI scanning must be conducted by an Approved Scanning Vendor (ASV) at least quarterly, as well as following any major change to your environment.
Many of the clients my QSA team works with admit having a limited knowledge of PCI scanning requirements. A primary issue is the timing of the scans themselves. For example, “quarterly” doesn’t mean “once a quarter,” it actually means at least every 90 days. In other words, there should be an internal process to ensure your ASV scans are occurring, and passing, at least every 90 days. In addition, any changes made within a scanned environment before those 90 days are up should be tested with a new scan to ensure that no new security vulnerabilities were introduced.
PCI Scanning Basics
Now that I’ve clarified the timing issue, let’s take a look at the basic steps for navigating your PCI scanning responsibility.
- Division of Responsibility
It is your company’s responsibility to store and maintain a record of your Attestation of Scan Compliance documents, as well as to complete the attestation process. Submitting your scan detail for the ASV certification process (common with vendors that do both PCI and non-PCI scanning at times) is also your responsibility.
It’s your ASV company’s job to provide the scanning capabilities, attestation, support and—when necessary—false positive remediation. If your current vendor’s scan process isn’t working for you, shop around and find one that does.
- Addressing a Failed Scan
If an ASV scan fails, it should trigger a workflow at your organization to remediate and rescan. Because a passing scan is required at least every 90 days, you really can’t afford to wait until the last minute. If you have questions on the fail, or you believe it’s a false positive, call your ASV company.
Your ASV company will have a process in place to assess false positives, ask for evidence, and then amend the report. Unfortunately, your QSA can’t complete this step for you. The QSA simply views a pass as a pass and a fail as a fail.
- Attesting to Scans
When you sign off on the Attestation of Scan Compliance, you are attesting that it covers the entire scope of your payment card environment. If it doesn’t, the scan is insufficient. Sure, multiple scans can be put together to show testing occurred across the entire population of in-scope external/public IPs, but let’s not make this any more complicated than it should be (unless you need to, there are good reasons sometimes). If you add additional IPs to your scope at your organization for whatever reason, that is a major change, and a new scan should be run ASAP.
Applying Compensating Controls
Now, for the part that everyone with scanning issues wants to talk about: The infamous Compensating Control Worksheet (CCW). All CCWs require that the intent of the control is met or exceeded, and not by using other applicable PCI controls as written. The key to using other PCI controls is exceeding the requirement.
In many instances, the quarterly ASV scan is one of the harder controls to compensate for. The intent of the PCI scanning requirement is to identify vulnerabilities in a timely manner. How exactly are you doing this without demonstrating scanning? Is it possible? Sure. Is it difficult? Very. This is the absolute last resort.
The one CCW I hear all the time is the “broken process” CCW. If it’s not your first-year assessment, you are expected to have a process in place for scanning. Sometimes that process breaks and then the question is Are you still compliant? The answer in the vast majority of cases is a resounding NO.
The QSA’s job isn’t to perform a risk-based assessment and provide a compliant report, it’s to report on what they see. If you have an ongoing scanning issue, you should be discussing your non-compliance to Requirement 11.2 with your acquiring bank and/or payment processor. They can decide that the risk has been mitigated and accept your non-compliant status with or without penalty.
PCI Scanning Best Practices
Based on the above, and my observations of organizations doing this right, below are some best practices for a successful ASV scanning protocol:
- Dedicate at least two people to be involved in the process. That way the ball is much less likely to get dropped.
- Scan as frequently as you can and as makes sense for your organization. If you scan weekly or monthly, you are identifying vulnerabilities in a more timely manner, as well as providing a safety net in terms of meeting the requirement.
- Make review of the scans part of weekly and/or monthly meetings to review for risk and remediation plans.
- Archive/store all relevant security or compliance documentation, such as scan details, executive summaries, ASOCs, etc., in an organized fashion somewhere centralized and secure. Be sure to also keep a record of all false positive remediation.
- Review and read the Attestation prior to signing, and ensure your scope is accurate prior to signing off that it is.
Finally, don’t cut corners! Making sure your Internet-connected systems are secured is obviously important and ASV scanning is not your enemy. In fact, it’s one of the more inexpensive PCI controls and it will help you harden your public-facing exterior, which is obviously of high risk.