PCI Compliance Scanning
Keeping your customers’ valuable credit card data and personal information safe requires constant vigilance. And a significant part of diligent security is PCI scanning.
- PCI scans must be conducted by an approved scanning vendor
- Ignoring quarterly PCI scanning may knock your business out of PCI compliance
- Noncompliance carries the risk of heavy penalties and worse
Why do I need PCI scans?
If you accept credit card payments, you have a network designed to process your customers’ most sensitive information. In most cases, this network is external facing, meaning that it interacts with the general public, making it vulnerable to attack. (For example, if you take online payments, anyone can access your credit card processing system through your website.)
The only thing keeping your vital information (credit card numbers, PIN numbers, expiration dates, etc.) safe is the series of security protocols in your system. If any of these safety measures fails, your most valuable information is vulnerable to thieves, fraudsters, hackers and a variety of abuses.
If that’s not enough to convince you of the value of PCI scanning, Requirement 11 of the PCI DSS states:
“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
Requirement 11.3 more specifically designates that any business that accepts credit cards should:
“Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications and product upgrades).”
What will happen if I don’t conduct PCI scans?
If you’re not having regular scans, your business may be out of PCI compliance and you may be risking a data security breach. A breach means that someone has compromised your system and gotten hold of card and cardholder data. The consequences — especially if you are out of compliance — can be severe.
Penalties and fines for PCI noncompliance
The penalties for a breach while you’re out of compliance can range from a slap on the wrist to substantial fines. Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations. These costs are inevitably passed on to you, the merchant. In addition, it’s likely that you’ll see an increase in transaction fees.
The damage caused by noncompliance
Penalties can put a significant dent in the company coffers, but they are nothing compared to the damage that a breach can do to your business. If your security is compromised while out of compliance, you run the risk of losing your merchant account, which means you’ll be unable to accept credit cards.
While that is detrimental in itself, merchants who lose their accounts are placed in the Visa/MasterCard Terminated Merchant File and are ineligible for another merchant account for several years. The results are devastating, irredeemably destroying your credibility, customer loyalty and, ultimately, your entire business.
What is PCI scanning?
PCI scanning seeks and identifies vulnerabilities in your network and operating systems, enabling you to find and fix problems and improve security.
Application scanning for PCI compliance
Application scans locate holes in your web-based applications that leave you open to a host of different attacks. Most of these are clever enough to trick you into triggering your own security breach. One click by an unsuspecting user and your security is compromised. Some of the most common are:
Cross-site scripting – a way to bypass access controls by introducing executable programs into your network.
Remote file inclusion – a method attackers use to get inside your system by inserting a remote file onto your server.
Structured query language (SQL) injections – hackers introduce viruses and other malignant forms of code into your system, causing untold damage.
Authentication scanning for PCI compliance
Anyone using your network potentially has access to your backend systems and databases, and the coveted information that can be found there. Authentication scanning searches for vulnerabilities in the protocols that block users from accessing this information. Some of the important security measures tested include:
- username and password
- security credentials
- authentication methods
How can PCI scanning help my business?
When you conduct PCI scanning through the approved scanning vendors at Compliance 101, we provide you with an easy-to-understand report with detailed instructions on how to fix problems and improve security. We’ll prioritize vulnerabilities from most severe to least, and help you to address each one.