PCI DSS (Payment Card Industry Data Security Standards) are the official security standards created by the PCI Security Standard Council to reduce payment card frauds. It provides elaborate and comprehensive standards to enhance payment card data security. The core purpose of PCI DSS this is to create as secure of an environment as possible for users to process their credit cards. To adhere by PCI DSS, service providers and merchants who sell products over the web are required to have a periodic PCI Security Scans that are usually defined by the credit card companies. PCI Security Scans are initiated over the Internet by an Approved Scanning Vendor (ASV). These scans pinpoint the vulnerabilities and misconfiguration of websites, servers, applications and IT infrastructures.
In most cases the ASV consults with the customer to determine if the active IP addresses are within the scope. There are two segmentation methods that can be used to reduce the scope of the PCI Security Scan.
• Having a physical segmentation between the segment handling cardholder data and other segments can help ensure PCI Security.
• Employing appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments
The final responsibility for defining the scope of PCI Security Scan rests with the merchants and service providers, though they may require the expertise of ASVs.
PCI Scanning Procedures
The PCI council puts forward 12 main security requirements that all merchants are required to follow in order to be truly become PCI DSS Compliant. The procedures are as follows –
1. All Scans should be executed by an ASV selected from the list of approved scanning vendors provided by the PCI Security Standards Council. ASVS are required to follow the “Technical and Operational Requirements for Approved Scanning Vendors (ASVs)” procedures.
2.Scans are to be in accordance with PCI DSS Requirement 11.2 and should be done on a quarterly bases.
3. Merchants and Service providers are required to:
• Provide the ASV with a list of all Internet-facing IP addresses and/or IP address ranges
• Provide the ASV with a list of all domains that should be scanned if domain-based virtual hosting is used
4. The network is scanned to determine which IP addresses and services are active based on the list of IP address range provided by the customer.
5. Merchants and service providers should contract the ASV to perform periodic scans of all active IP addresses and devices.
6. The scan must cover all filtering devices including firewalls or external routers. If a firewall or router is used to establish a demilitarized zone (DMZ), these devices must be scanned for vulnerabilities
7. The ASV must scan all web servers, as they are fully accessible from public internet and are vulnerable.
8. ASV must scan application servers as they act as the interface between web server and back end databases and legacy systems. Most hackers exploit the vulnerability of web servers to get access to internal databases that store credit card details.
9. DNS servers are vulnerable to attacks as the hacker can spoof a service providers webpage and collect credit card details.
10. Mail servers should be scanned as they are highly vulnerable to hacker attacks.
11. The ASV must scan Virtual Hosts. If a website is hosted in a virtual environment, the merchant should require the hosting provider to scan their entire IP range and demonstrate compliance while merchants are required to have their own domains scanned.
12. Wireless LANs introduces data security risks hence they must be scanned.
13. The intrusion detection system/intrusion prevention system (IDS/IPS) should be configured to accept the originating IP address of the ASV.
Compliance Reporting
Most payment card companies provide their own compliance reporting requirements to merchants and service providers. While scan reports must follow a common format, the results must be submitted in accordance to each payment card company’s requirement.
