PCI DSS Compliance requires that merchants have comprehensive application vulnerability scans at least every quarter.
I reached out to ControlScan and SecurityMetrics, two leading providers in the industry, and asked them to help explain why scans are required, what protection they provide, what they cost and how to evaluate different providers. From ControlScan I spoke with CEO Joan Herbig and from SecurityMetrics, VP of Bus. Dev. Wenlock Free.
1. Why are IP scans required for PCI Compliance?
ControlScan: "The Payment Card Industry Data Security Standard requires that you scan all outward facing IP addresses. These IP addresses are not protected by the Fire Wall allowing a hacker to easily access the server and sensitive information through a an open port. The Payment Card Industry views threats from two perspectives: internal and external. The PCI Self Assessment questionnaire (SAQ) identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside."
SecurityMetrics: "At the 2007 MasterCard Intl. Security Symposium, MasterCard said, "9 of 10 compromises would have been prevented with regular vulnerability assessment." The reason compromises occur is because of software bugs which are exposed through your Internet-facing entry points, also known as external IP addresses. The name of the game is finding those bugs before the hackers do, and fixing them before they exploit them."
2. Beyond PCI DSS Compliance, what protection do scans provide merchants?
ControlScan: "The rules and requirements set by the PCI Security Council are meant to protect merchants from becoming victims of credit card fraud and to protect them from becoming another headline. The scanning of outward facing IP addresses is necessary in order to find vulnerabilities, or holes, where a Hacker could easily gain access to a merchant's servers. The remediation of these vulnerabilities ensures that merchants are providing customers with a secure environment for transactions. Many companies have gone out of business/lost their brand reputation due to one Hacking incident and the costs associated with the breach. Minneapolis and Texas have also adopted PCI Compliance into law."
SecurityMetrics: "Continuing the exploit discussion from above, the attitude towards PCI Compliance ought to be one of total risk mitigation rather than just "compliance". With this mentality, a "locked down" perimeter means much less of a chance that an organization will be hacked because the "bugs" or vulnerabilities they would normally see are presumably not there. For example, a hacker will use tools available on the Internet to scan for vulnerabilities (bugs) on a web site or app service, email server, FTP server, VPN endpoint or other external device. The hacker will then research the vulnerability report items to find scripts and other helpful info regarding that vulnerability. Then the hacker will use the info to gain root access or inject database commands or any one of a myriad of hacking methods."
3. How much do scanning services cost?
ControlScan: "Scanning services can range from $15 to $40 a month. One thing to keep in mind is that becoming PCI Compliant is more than just a scan. The PCI DSS is a set of 12 requirements that focus on specific areas of security. When evaluating which scanning vendor to use, do not assume that because you purchase a less expensive PCI scan that you are compliant."
SecurityMetrics: "Most merchants will pay $139.99 per year for full service PCI quarterly scanning and remediation help on all issues related to compliance including security policies and questionnaire assistance. The price is reduced as the IP count increases."
4. What are the differences among scanning vendors and what should merchants look for when choosing a provider?
ControlScan: "First of all, there are different types of scanning vendors. For example, a QSA or Qualified Security Assessor is certified to provide on-site remediation to Level 1 merchants, those who process over 6 million Visa or MasterCard transactions per year. An Approved Scanning Vendor is certified to provide scanning services to merchants processing less than 6 million Visa or MasterCard transactions per year. Many of these vendors focus on larger Level 2 and 3 merchants. Some vendors focus on small to midsized business, or Level 4 merchants. These merchants process under 20,000 Visa/MC transactions per year and make up the vast majority of businesses. There are vendors who only provide a scanning service and those that provide scanning and the Annual Self Assessment Questionnaire required for compliance. When evaluating different scanning vendors merchants should first look for an ASV that has experience dealing with their type of business. If the merchant is a small to midsized business, they should choose an ASV who is accustomed to serving Level 4 merchants. Merchant accounts should also make sure that the service they are purchasing meets all PCI DSS requirements and that the tools they are provided with are easy to understand as well as implement."
SecurityMetrics: "Merchants should research whether the vendor only provides scans or is a full-service provider. In other words, do they provide Payment Application consulting and auditing, PCI auditing and consulting with qualified auditors etc. Merchants should also find out whether the service allows for management of multiple IPs (if applicable) and offers unlimited re-testing and support calls for the same price. Finally, find out whether the provider has certified level 1 auditors on staff which can address complicated questions to real world PCI challenges.