If you have a business that stores, processes, or transmits sensitive data such as credit card information online, you must comply with the Payment Card Industry Data Security Standards (PCI DSS), which consists of 12 essential requirements to protect customers data.
Regardless of their size or sales volume, all merchants must follow PCI compliance to prevent security breaches, consumer data theft, and identity theft. Ensuring PCI compliance is also critical to building consumer confidence.
PCI compliance is often problematic for businesses. PCI security standards are highly technical, and a company may have trouble understanding how its website and public web applications meet compliance standards.
If you have a website where you get credit card numbers directly from your visitors, you must comply with PCI DSS requirements, and one of those requirements is PCI compliance scans.
A certified PCI scanning vendor (ASV) runs a series of PCI scans on your website and externally accessible IPs in PCI compliance scans, providing you with a PCI ASV scan report with an actionable vulnerability list and potential solutions.
Passing a PCI compliance scan attempt usually requires changing some of the default settings on your server to be more secure. Some of the most common things to do would be to close ports on the firewall and make sure you are using up-to-date software.
What Are PCI Compliance Scans, and Do They Apply to Your Company?
PCI DSS is a security standard for credit and debit card transactions that protect consumers from unauthorized use of their personal and sensitive information. PCI DSS is a solid document outlining the steps needed to establish a secure payment card data security process.
PCI DSS applies to all entities that accept, transmit, or store cardholder data, regardless of the size or number of transactions.
Four PCI compliance levels are based on credit card transaction volume over 12 months. Level 1 applies to any organization that processes more than 6 million credit card transactions per year. Other PCI compliance levels apply to lower throughput ranges. Each PCI compliance level comes with PCI DSS requirements that become more stringent as you increase from Level 4 to Level 1.
It should be noted that using a third-party provider to process credit card transactions does not exempt your organization from PCI DSS compliance, and it is your responsibility to be PCI compliant. Also, simply using Secure Sockets Layer (SSL) will not make your business PCI compliant. Using SSL is just one step in the PCI compliance process, but it’s not enough.
Non-PCI compliance can result in fines ranging from $5,000 to $100,000 per month until compliance is achieved. High penalties are enough to drive small businesses out of business.
The PCI DSS standard defines cardholder data as a full Primary Account Number (PAN) with any of the following:
- Name of the cardholder, expiration date, or service code
- Other sensitive authentication data, such as magnetic stripe data and PIN, must also be safeguarded.
There are also specific PCI DSS requirements for software applications:
- You must develop software applications based on industry best practices and incorporate security throughout the software development lifecycle.
- You should review proprietary code and third-party libraries before release to production or customers to identify potential coding vulnerabilities.
- You must develop your web applications based on secure coding guidelines, such as the Open Web Application Security Project Guidelines (OWASP).
Make sure all your web applications are protected from known attacks by any of the following methods:
- An organization specializing in application security should review all application codes for common security vulnerabilities.
- Install an application layer firewall (WAF) in front of web-facing applications.
If you qualify for specific Self-Assessment Questionnaires (SAQs) or store cardholder data electronically after authorization, you must perform a quarterly PCI compliance scan. PCI compliance scanning must be performed by an Approved Scan Vendor (ASV).
PCI compliance, or vulnerability scanning, is an automated test to identify vulnerabilities in a company’s information technology infrastructure and computer systems that someone could exploit or threaten.
Your bank or payment institution may require regular PCI scans by an Approved Scan Vendor (ASV) to eliminate threats to website subdomains, add-ons, applications, and your payment processor.
An external (ASV) PCI scan involves scanning every public IP address or range on your network. During an internal scan, the focus is on internal hosts in a company’s cardholder data environment. Like external scans, you should run internal scans every 90 days and after the following network changes:
- New system component installations
- Network topology changes
- Changes made to the firewall rule
- Product upgrades
If your business has publicly available web applications, you should also perform application scans.
Before performing a PCI compliance vulnerability scan, you must agree with an ASV’s company to complete the scan. The PCI Security Standards Council certifies security solution providers as scan providers to operate PCI scan services and ensure compliance with PCI DSS requirement 11.
PCI compliance scans performed externally and performed quarterly by an approved PCI Scan Vendor (ASV) are mandatory to qualify for PCI DSS (Payment Card Industry Data Security Standards) requirements.
You should scan each website and external IPs that accept credit card information quarterly and submit the ASV-approved report to the purchasing bank. Failure to do so will likely result in you losing your license to accept and process credit card information, which can be disastrous for your business given the popularity of using debit and credit cards.
Why Your PCI Compliance Scan Failed and What to Do
PCI compliance is a term often feared by business owners. While maintaining PCI compliance is essential to protecting your business and your customers from fraud, the process of keeping you in good standing can be complex and grueling.
Worse, if you receive a failing grade on the PCI compliance scan, it can be challenging to pinpoint what went wrong. Below are common reasons why your PCI compliance scan fails and what you can do about them.
1. Access Errors
Some popular antivirus programs treat external PCI scanning as an attack and block scanning IPs from accessing your system. Even measures such as a firewall or a spam filter can thwart the scan’s attempts to do its job, as the scan is seen as abnormal behavior for your system.
To fix access issues, try whitelisting the scanning service’s IP addresses. Your credit card processing partner can handle this. Another option is to disable any security software preventing the scan from completing temporarily, but this is not advised because it exposes your computer to potential threats.
2. Use of Insecure Protocols
Because you are using FTP open or plain text authentication, you may fail a PCI compliance scan. By default, when you connect to the server via FTP, your credentials are sent to the server in clear or plain text.
This means that if someone is sniffing network traffic from your computer to the server, for example, because you are on an open WiFi network, they can compromise the security of your account. Therefore, using an encrypted connection instead of clear and plain text will help protect your account.
3. Outdated Security Protocols
The SSL and TLS security protocols are designed to encrypt and secure information transmitted over the Internet. When you navigate to a website whose URL starts with “HTTPS” instead of just “HTTP,” you will see these security measures applied.
SSL is an older protocol and has been updated several times as hackers have found many ways to breach it. The latest SSLv3 protocol has been decoded and is no longer reliable to secure data.
According to PCI DSS and security best practices, the use of all SSL versions (SSLv2 and SSLv3) and initial versions of TLS (TLS 1.0) should be disabled for all open connections to the CDE.
But unfortunately, many websites still use legacy SSL protocols. Your PCI compliance scan will fail if you are still using SSLv3; you must upgrade to the newer and more secure TLS protocol.
4. Chipper/Algorithm Vulnerabilities
Encryption algorithms are designed to encode the content of a string or binary object so that an attacker without the decryption key cannot decipher the content.
Insecure Cryptographic Storage is a common vulnerability when sensitive data is not stored securely. Insecure Encryption Storage is a set of vulnerabilities, not a single exposure.
A common mistake when using cryptography is using algorithms known to be weak or broken. Over the years, many algorithms have been declared broken due to vulnerability to brute-force attacks (like DES or MD5) or flaws in the protocol itself.
Therefore, if you want to pass PCI compliance scans, you should not use your applications’ weak or security vulnerabilities encryption and algorithms.
5. SSL Certificate Configuration Errors
SSL Certificate with Incorrect Hostname, SSL Self Signed Certificate, and SSL Certificate Expired are SSL Certificate related vulnerabilities.
The recommended solution for SSL Certificate configuration errors is, public ports must have a Valid SSL Certificate signed by a Certificate Authority (CA). This means that the common name must match the target, the issuer must be a CA, and the certificate will not be allowed to expire.
6. Vulnerable Authentication Information
A flaw in your system can cause the PCI compliance scan to fail, leaving hackers free to access your data.
Some payment systems may have a vulnerability where a hacker could log in and bypass security restrictions. Once in the system, the hacker’s actions will not raise red flags as they will be recognized as an authorized user and could cause further damage without being detected.
Fortunately, patches for the most common vulnerabilities are available, and you should keep your systems up to date with these patches.
7. Unsecured Open Ports
One of the most common PCI compliance issues for a failed PCI scan is using open ports on your servers that are considered unsafe. It’s also important to note that it may not be a real security risk if your website fails for an open port due to a PCI compliance scan. You should question most such findings as false positives.
It’s important to note that changing your firewall settings can lock you out of your server if done incorrectly, so be careful when making your firewall settings.
8. Failed SSL Certificate Validation
SSL certificates are useful little data packets that identify a particular person, company, or website. You can think of the SSL certificate as proof that the entity is whom they claim to be.
If your website requests any login information, your customers’ web browsers must have an SSL certificate so that they can trust it. Without a valid and reliable SSL certificate, the browser cannot determine whether the customer is shopping from your company or a hacker pretending to be your company. If your SSL certificate is missing or not installed properly, your PCI scan will fail.
9. Sloppy Third-Party Security
Many businesses integrate with a third-party service to provide additional features to their customers. Examples are an FTP remote management service that allows your customers to upload files directly to your website or a remote login feature that allows technical support to assist a customer with a problem.
Most of these services accept unencrypted passwords, which can be disastrous if a hacker steps in, and therefore your scan will fail. To fix this, make sure your third-party apps are safe. If your current ASV scan vendor cannot meet your needs, you may need to consider switching providers.
How to Properly Run PCI Compliance Scans
A PCI vulnerability scan identifies security threats and vulnerabilities in your application. Any issues detected in PCI compliance scans should be addressed immediately.
Here are some of the most common web application attacks that PCI scans protect you from:
- Cross-site scripting (XSS) – XSS is one of the most common vulnerabilities in web applications. It allows attackers to execute scripts on a visitor’s browser on behalf of a vulnerable website without the user knowing. They may be redirected to malicious sites or exposed to other malicious activities, such as stealing their cookies.
- SQL Injections (SQLi) – SQL injection attacks involve inserting a SQL query into the application so that an attacker can read sensitive data from the database, modify database data, or perform other malicious activities.
PCI compliance scans are covered by requirement 11 of the PCI DSS standard, which focuses on network and application security. PCI DSS requirement 11 specifies that scans must be run quarterly. In other words, you need to run your scans at least every 90 days, and your scans should be passing. You should also send a summary of your past scans to the relevant bank or payment institution.
If your scan is unsuccessful, you should rescan after fixing the issues and verify a successful result or that all high-level security vulnerabilities have been resolved. The PCI DSS standard defines five levels of vulnerability, ranging from low to urgent. A high-level vulnerability is any issue between three and five levels.
It’s also important to note that if you make significant changes to your app within 90 days between scans, you should run a new scan to ensure no new vulnerabilities are discovered.
The 90-day window applicable to PCI compliance scans is the minimum and running scans more often will also increase your security level. Failure to perform regular PCI scans can result in non-compliance fines and damage to your business.
If you lose your merchant status, you may lose your ability to accept credit cards. Worse still, if you get hacked, your company’s reputation may never recover.
Scans must be performed by a PCI Approved Scan Vendor (ASV), which provides the necessary services and tools to perform the external vulnerability scanning required under PCI DSS.
A Scan Vendor solution (PCI ASV) is tested and approved by the PCI Security Standards Council (SSC) before being added to the list of approved vendors. The current PCI Approved Scan Vendors (ASV) list is available on the PCI SSC site.
Tips and best practices for successful PCI compliance scans include:
Create a team of hardworking individuals.
Even if your team is small, more than one person should be in charge of ensuring that the PCI compliance scanning process is completed correctly and regularly. It can be risky to place this responsibility in the hands of a single person.
Your team should have a central database of all compliance documents, including Compliance Certifications, reports, and executive summaries. Team members must also gather data and develop processes that your company can monitor to identify and eliminate security vulnerabilities.
Just because the PCI compliance scan requirement is every 90 days doesn’t mean it’s the best approach for your business. There is no hard and fast rule, but scanning frequency should make sense for your application and organization.
Issues to consider include transaction volume and how often you make changes to the app. If you’re making more changes to your app, you’ll need to scan more often.
The more often you can, the faster you can spot problems and fix vulnerabilities before an attacker exploits them. Frequent scans also eliminate the possibility of not meeting the quarterly PCI requirement.
Perform both external and internal vulnerability scans
External vulnerability scanning simulates an attack from outside your application, identifying ways an external attacker can break into the system. Built-in vulnerability scanning checks for vulnerabilities in your internal network. Both scan types are required for PCI compliance.
However, your ASV provider is not responsible for managing your PCI internal vulnerability scanning. You are responsible for managing your PCI internal vulnerability scanning. Some tools can automate the internal scanning process for you by checking your application codebase against PCI DSS requirements and flagging violating lines of code.
This way, you are assured that your code is breach-free while improving application security and PCI DSS compliance, with the added benefit of having more time to focus on improving your application rather than worrying about compliance.
An organization may cease to maintain compliance after passing PCI compliance scans. However, in addition to relying on an external security service, your company should develop its own best practices to achieve optimum levels of payment security and ensure that security vulnerabilities are eliminated.
Act fast and take action on failed scans
If you fail the PCI compliance scan, you must act immediately and take appropriate action. You need to provide proof of a PCI compliance scan that passes every 90 days, so you should fix any security vulnerabilities, especially high-level issues, right away. Quickly fixing vulnerabilities also protect your customers’ sensitive data and reputation.
Providing the minimum required for PCI compliance scans may sound tempting and adequate at first, but it will not yield a successful result. Frequent extensive application security testing gives you the best chance of success.
PCI DSS compliance may seem daunting, but PCI DSS requirements are there to protect both your customers and your business. Adhering to these regulations with regular PCI compliance scans ensures your application is secure and your customers’ sensitive data is protected.
How to Handle a Failed PCI Compliance Scan
PCI compliance scanning aims to ensure compliance with PCI Security Standards Council requirements. To eliminate security vulnerabilities and protect business and consumer information, you need to ensure your company meets every requirement.
When it comes to PCI scan success, your company must meet several requirements. Most importantly, you need to compile a complete list of all web-based applications and public and internal components to define a scan scope. Even if you use an ASV to run the PCI scan, your company determines the scan scope.
After defining the scope, the PCI ASV company will complete a discovery process to verify your scan coverage. The PCI ASV company will only continue scanning if the discovery results match the scan sope your company provides.
If the PCI Compliance (ASV) scan fails, it should trigger a workflow in your organization to fix and rescan. You can’t afford to wait until the last minute because scans are required every 90 days at the very least, and scans can always have unexpected issues. If you have questions about the failure or believe this is a false positive, you should contact your ASV company.
If your company passes the PCI scan, you can send the passed scan to the corresponding payment brand. If you don’t know how or to whom to send the report, contact your bank or payment brand and ask them for the name and contact information of the report recipient.
A business can fail a PCI ASV scan. If you failed the scan, you might dispute the results for reasons such as false positives, an inconclusive ASV scan, or interference preventing the scan from completing.
Every ASV has a procedure for filing ASV screening disputes. If there is a scanning dispute between your business and ASV, you cannot submit the dispute to PCI SSC. The scanning vendor should provide you with a written procedure for filing the appeal and answer any questions about the scan results.
One or more vulnerabilities cause a PCI scan error in most cases. If there are vulnerabilities, you will need to fix the issues, and ASV will rescan until your business passes a passing scan.
One requirement of the PCI SSC is that all failed scans and disputes be included in the final scan report.
Your ASV company will have a process to assess false positives, request evidence, and then amend the report. Your PCI QSA cannot complete this step for you. QSA sees only one pass as successful and one as failed.
By signing the PCI Scan Compliance Attestation, you are confirming that it covers the entire scope of your payment card environment. If there is no confirmation, the scan is insufficient. Multiple scans can be combined to show all extensive external/public IPs tests.
If you add additional IPs to your organization’s scope for any reason, it’s a significant change that should be followed by a new scan as soon as possible.
PCI Compliance Scanning Best Practices
Many organizations have difficulties understanding the requirements of PCI scans and how to execute them in their applications properly.
Scanning your payment card environment for vulnerabilities is an ongoing requirement of the PCI compliance process. For most businesses, PCI scanning should be performed by an Approved Scan Vendor (ASV) at least quarterly and following any significant changes in your environment.
The PCI compliance scan schedule is at least every 90 days. In other words, you should have an internal process and controls in place to ensure that your ASV scans are performed at least once every 90 days and that your scan is successful.
Additionally, changes made to a scanned environment before these 90 days expire should be tested with a new scan to ensure no new vulnerabilities are discovered.
Your company’s responsibility is to maintain and maintain a record of your PCI Scan Compliance Certification documents. Likewise, it is your responsibility to submit your scan details for the ASV certification process.
Your ASV company’s job is to provide scanning capabilities, validation, support, and false-positive correction as needed. If your current vendor’s scanning isn’t working for you, you’ll need to find a new vendor.
The following are some of the best practices for a successful PCI Compliance (ASV) scan:
- Set aside at least two people to be involved in the process. A competent scanning team will make it easier to manage and gain control of the scanning process.
- Scan as often as possible. If you do a weekly or monthly scan, you will detect vulnerabilities on time and provide a safety net to meet the need.
- Make scans part of weekly or monthly meetings to review risk and improvement plans.
- Organize and archive all relevant security or compliance documents, such as scan details or executive summaries, in a central and secure location.
- Be sure to keep track of all false-positive corrections.
- Review and read the Consent before signing. Also, make sure your coverage is correct before signing the report.