PCI Vulnerability Scan: A Complete Guide
Learn how to keep your company in compliance with PCI and able to accept credit card payments. The PCI scan is a quarterly requirement of PCI DSS compliance.
Consumers love the convenience of paying by card. An annual survey by the US Federal Reserve found that over 60% of consumer purchases are made with either a debit or credit card. It’s hard for businesses to survive without the ability to process card payments.
And yet, you could find yourself without that capability if you fall out of compliance with the standards set by credit card issuers. The Payment Card Industry Data Security Standard (PCI DSS) outlines a set of practices and requirements businesses must adhere to to protect consumers from fraud.
Part of ensuring your compliance with PCI DSS—and your ability to process card payments—is completing regular PCI vulnerability scans. As the name suggests, these vulnerability assessments look for weaknesses that could allow bad actors to break into your system and access cardholder data, among other secure information.
Companies that process credit or debit card payments need to complete regular PCI DSS scans. Here’s what to expect from the process and how to prepare your company.
New to PCI? Download Our PCI Compliance Checklist PDF
What is a PCI Vulnerability Scan?
PCI vulnerability scans test merchants’ and service providers’ information architecture to find security flaws. These scans are comprehensive: they cover your networks, operating systems, applications, services and partnerships, and even the devices your company owns.
Vulnerability scans are only a part of PCI DSS compliance. They help companies adhere to PCI DSS requirement 11: Test security of systems and networks regularly. Here are the other 12 PCI DSS requirements.
Types of PCI Scans
There are two types of PCI scans companies must regularly conduct to stay in compliance with PCI DSS: external and internal. Between them, the two scans cover the entirety of your systems.
External Vulnerability Scan
External vulnerability scans cover any part of your IT infrastructure that is public-facing or accessible from outside your network. The scanner targets public-facing IP addresses and firewalls to search for a way into your system.
It’s a simulation of an attack launched from outside your systems—one you might experience from a hacker trying to break in. Bad actors often target open ports, third-party applications, or software or hardware vulnerabilities to gain unauthorized access to a system. They may also tap into insecure data transfers to gain a foothold into your system. Regularly testing any public connections between your systems and the internet helps pinpoint vulnerabilities before hackers can take advantage.
This type of scan must be performed by an Approved Scanning Vendor (ASV) from the official PCI Security Standards Council list.
Internal Vulnerability Scan
Internal vulnerability scans look for any weaknesses in your private IT infrastructure. Though your internal systems aren’t open to the public, hackers can still find their way in through phishing attacks, email attachments that include malicious code, and account takeovers. Your systems should use principles such as zero-trust architecture to make sure anyone who gains access isn’t able to penetrate deeper.
It’s best to run two types of internal scans: credentialed and non-credentialed. In the former, the scanner acts as a valid user of your network and imitates a hacker who compromised an employee or admin account. The latter simulates an attack by someone who was able to slip into your system through an external vulnerability. A bad actor’s entry point and system permissions will affect their path through your system, so skipping one type of scan could mean you miss vulnerabilities.
Your internal vulnerability scan can be done in-house or by an ASV.
Who Needs to Conduct PCI Scans?
PCI scans must be run by any company that processes, stores, or transmits cardholder data. Technically, only the five major credit card vendors (American Express, Discover, JCB, MasterCard, and Visa) are part of the PCI and require this—but practically, any company that accepts card payments works with them.
The breadth of PCI’s cybersecurity requirements covers merchants and service providers, including payment gateways and payment processors. It may also cover companies like firewall providers and hosting services if credit card information passes through their systems at any time. The official Self-Assessment Questionnaire (PCI SAQ) will help you understand your obligations under PCI DSS.
PCI requires all implicated companies to conduct both internal and external scans at least once every three months. You must also rescan if you make major changes to your systems, like adding new servers or system components, relocating data, or modifying firewall rules.
Many large or high-risk companies conduct scans more often to keep up with fast-moving bad actors. PCI compliance protects you from liability in case of a hack, but breaches are still bad for your company’s brand. 28% of consumers say they’ve lost trust in companies’ ability to protect their data over the past two years, and 27% would stop patronizing a company after a data breach. Because scans are fairly easy, it’s in your best interest to err on the side of caution.
The PCI Compliance Scanning Process: What to Expect
Getting your systems in compliance with PCI DSS takes time, but scanning to prove their security is rather easy. Follow these eight steps to complete your scan and report the results.
Step 1: Prepare for the Scan
Running a scan before your company is ready has consequences: When you submit your PCI compliance documentation, you’ll be required to add all records of failed scans as well as the one that shows you passed. Therefore, take the time to get your systems in order before you start.
Make sure all of your software and apps are up-to-date, and apply security patches. Review the current PCI compliance standards to make sure your company follows all of them.
Step 2: Identify Your Scan Scope
Before starting your scan, it’s up to your team to scope what should be included. Map out all of your systems that store, process, or transmit cardholder data. This includes applications like payment gateways that directly touch data and those like firewalls that impact the security of your data environment. You should also make a list of people who work with credit card data.
IT is usually heavily involved in this process, as they have the most visibility into your data flows and understand how different parts of your systems are integrated.
Step 3: Choose an Approved Scanning Vendor (ASV)
Next, it’s time to find an ASV to run your external scan for you. This list from the PCI Security Standards Council (SSC) lays out your options.
You may also want to find a trusted partner to conduct your internal scan, if you’re not able to do it in-house. The PCI SSC does not test or recommend any entities or tools for internal scans.
Step 4: Run the Scan
Once you have your ASV ready to go, work with IT to make sure firewalls and other security systems are configured to let the tool access your system. The ASV will start with a discovery pass to determine whether the system map it sees matches the scope you laid out in step two. If it doesn’t, the scan will stop here. Otherwise, the scanner will spend the next few hours (how many depends on the size of your company) methodically checking for any vulnerabilities.
Step 5: Review the Results
Any vulnerabilities that showed up in your ASV scan report should be remediated, even if they didn’t cause you to fail. The CVSS rates vulnerabilities on severity, but this doesn’t correspond to the level of risk they pose to your organization. Less urgent fixes may take lower priority, but they should still be on your IT team’s radar.
You’ll automatically fail if your systems are configured poorly—for example, having software that can be accessed with no credentials or default account names and passwords. You’ll also fail if any of your security vulnerabilities score higher than a 4.0 according to the CVSS.
It is possible to pass if the scan uncovers vulnerabilities that don’t score above a 4.0.
Step 6: Remediate Vulnerabilities (If Applicable)
Failing your PCI scan means it’s time for more urgent measures. You’ll need to perform a rescan to show your company is staying on top of security issues, or you may fall out of compliance.
Some common reasons for PCI scan failure include:
System access errors: If your ASV can’t access parts of your system due to firewalls or other traffic filters, it can’t assess your security. Make sure everything is configured correctly if you receive this error.
Insecure or outdated protocols: Securing communications to and from your servers is a must to prevent hackers who are sniffing traffic from intercepting data or credentials. Make sure your SSL and TLS protocols are up to date—SSLv2, SSLv3, and TLS 1.0 and 1.1 are not compliant with current PCI standards.
SSL certificate configuration errors: All public ports on your network require a valid SSL certificate that has the correct hostname, is signed by a certificate authority (CA), and is not out-of-date or revoked. To handle this error, you likely need to update your SSL certificate or make sure it’s correctly installed and activated.
Insecurely configured tools: If any piece of your tech stack has an account that uses the default login credentials, anyone who knows that information can get into your system. Make sure your usernames aren’t “user” and your passwords aren’t “password” (or other common default values).
Known vulnerabilities: If your tech stack includes tools with known and unpatched vulnerabilities, hackers can easily find their way into your system. Make sure all systems are up-to-date to fix this error; if your tech stack includes a tool that, for some reason, is not publishing patches for security issues, you need to replace it as soon as possible.
Third-party security issues: Most companies rely on third-party software and services, and you’re only as secure as your weakest link. You may be able to talk to your account manager or update vendor contracts to ensure third parties have strong security, or you may need to replace underperforming companies.
There are many other reasons a system might fail a PCI scan, and some of the remediations aren’t as quick and easy as those listed above. Making the changes required might be a labor of weeks or even months.
Step 7: Rescan (If Needed)
Once you’ve remediated the vulnerabilities that came up in your original scan, it’s time to rescan your systems.
Because cyber threats are constantly evolving, it’s possible for your company to have fixed all the vulnerabilities in the first report and still receive a failing score or a report with new vulnerabilities. In this case, it’s time to remediate and scan again.
Step 8: Submit Your Passing Report
Banks, payment processors, and other similar entities may require your PCI scan report. Your submission must include copies of any failed scans as well as the passed scan.
If you have spent more than three months remediating and rescanning only for new security issues to pop up, it is possible to stay in PCI compliance. PCI DSS requires that you regularly scan and remediate vulnerabilities, so if the original vulnerabilities that caused your failure no longer exist in your systems, you can use your scan results to show that your company is doing its best to stay on top of finding and fixing weaknesses in its systems.
PCI Compliance is Easy With Drata
Drata’s PCI DSS compliance framework makes it easy to prepare for and pass your PCI scan. We pair a host of controls aligned with the PCI DSS SAQ with a playbook to help you make sense of what your company needs to achieve and how to achieve it.
Our PCI DSS dashboard helps you understand your PCI DSS compliance status at a glance and understand how it fits into your company’s security posture. With automated monitoring, asset tracking, and access control visibility all in one place, you’ll have the ultimate transparency into your systems. We also help you manage vendor SAQs so you can be confident your third-party services are all in compliance as well. Plus, every Drata customer gets access to our compliance experts, who can help you navigate this complex security standard.
Compliance doesn’t have to be complicated. Book a free demo with Drata to see how we can help you achieve PCI DSS compliance.
PCI Vulnerability Scan Frequently Asked Questions
Below we answer the most common questions about PCI vulnerability scans.
What is the Difference Between Internal and External PCI scans?
External PCI scans cover every public-facing part of your infrastructure, while internal scans cover company systems that can’t be accessed from outside.
Who Can Perform PCI Scans?
External PCI scans must be performed by an Approved Scanning Vendor (ASV). Internal PCI scans may be done by your company or a trusted third party.
How Often Do I Need to Run PCI Scans?
You need to run internal and external PCI scans at least once every quarter. Many companies run them monthly in recognition of how often new vulnerabilities are discovered.
What Happens If I Fail a Scan?
If you fail a scan, you need to remediate the issues and rescan your systems until the vulnerabilities have been fixed. If you think your scan failed due to technical errors on the part of your ASV, you are allowed to dispute the scan results.
Failing to address vulnerabilities could lose your company its PCI compliance, at which point your payment service providers would limit your ability to accept credit card transactions. You could also face fines and legal penalties if your company suffers a data breach while lacking PCI DSS compliance.
How Long Does It Take to Get a PCI Scan?
For most companies, a PCI scan takes a few hours to complete. Large companies with high transaction levels may need up to a few days.
How Much Does a PCI DSS Vulnerability Scan Cost?
Depending on the size of your company, you can expect to pay a few hundred to a few thousand dollars for the PCI scan. However, companies’ PCI costs also include the resources that go into preparing for the scan and remediating issues.
