In this blog post, we will cover the vulnerability scan requirements for Payment Card Industry Data Security Standard (PCI DSS). The adoption of these requirements helps ensure that your environment is not only compliant with PCI regulations, but also meets best security practices. This vulnerability data can also help provide a deeper understanding of your environment and where time and attention needs to be spent.
The PCI vulnerability standards require that vulnerability scans be done by an Approved Scan Vendor, or more commonly referred to as ASV. An ASV is an organization that has gone through a rigorous process with the Payment Card Industry and simply means that they can run vulnerability scans to make sure that organizations adhere to PCI requirements. Additionally, it’s essential to note that the scope of the vulnerability scan includes all internet-facing IP address as well as all systems and network resources that are within the companies’ card-holder environment (anything on the network that stores, processes or transfers credit card data).
The “Maintaining a Vulnerability Management Program” section describes the scans and the required subsequent review of the scans. Below, we detail the major points of the scans as mentioned by the PCI Standard:
6.1 - Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
6.2 - Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
6.4.6 - Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
6.5 - Address common coding vulnerabilities in software-development processes as follows:
- Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
- Develop applications based on secure coding guidelines.
- For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
All this leads to a monumental effort – implementing and maintaining a full-fledged Vulnerability Management Program. Some of the above items can (and should be) performed internally, but for others, you must engage a third party. Cygilant’s Vulnerability Management and Unified Vulnerability and Patch Management service offerings can assist with these PCI tasks as well as many others. Leveraging an ASV, Cygilant can help implement a Vulnerability Management Program, reduce your organization’s attack surface by decreasing vulnerabilities by up to 60% in relatively short order, and improve your security posture. Please contact us to find out more!