Payment Card Industry Data Security Standards (PCI DSS) is an information security standard for organizations that handle branded credit cards from major credit card schema such as Visa, Mastercard, American Express and others.
The PCI DSS has set of security requirements that needs to be followed by the merchants and service providers that store, process or transmit cardholder’s data. To comply with PCI Data security standards, merchants and service providers are required to have periodic PCI Security Scans by Approved Scanning Vendor (ASV). Approved Scanning Vendor (ASV) is an organization with a set of security services and tools to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2.Get in touch now
Methodology of PCI DSS Scanning
The objective of PCS DSS ASV Scan Service is:
Help validate compliance with the security requirements of PCI Data Security Standard (DSS). Scans help identify vulnerabilities and misconfigurations of web sites, applications, and information technology (IT) infrastructures with Internet-facing internet protocol (IP) addresses. Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet attacks.
Scope of Service
PCI DSS ASV Scan Service needs to be performed on all Internet-facing IP addresses and/or domains of merchant of service provider. In some cases, Companies may have many IP addresses available while only using a small number for card acceptance or processing. In these cases, we help merchants and service providers define the appropriate scope of the scan required to comply with the PCI DSS requirements. Our ASV Solution tests all IT assets and recommends valuable mitigation steps to comply with PCI DSS requirements. Our ASV solution follows below measures:
- Non-disruptive Nature – It provides only tests that do not damage the customers’ systems or data.
- Platform Independence.
Process of PCI DSS ASV Scan
All scans are performed by Cloud4C team using legitimate ASV solutions.
Step 1: Scope Validation
Customers provide us a list of all Internet-facing IP addresses and/or IP address ranges to be scanned. Cloud4C team will validate the scope of the target list and conduct network probing to determine which hosts and services are active. Cloud4C team will perform following activities:
- Ping sweeps, port scans, and route tracing
- Foot printing of networks and systems
- Searches for internet domain name registration
- Domain name service (DNS) lookups
Step 2: Performing ASV Scan
- Ping sweeps, port scans, and route tracing
Step 3: Vulnerabilities & Gap Analysis
- Cloud4C team will learn about the environment and determines vulnerabilities that are present. Some vulnerabilities will be apparent by just using the information learned from the first two steps. However, many vulnerabilities can only be investigated with probe-and-response testing. In this type of test, Cloud4C team will send data to a service or application and look for a certain response that indicates the presence of a vulnerability.
Step 4: Reporting
- After analysis of vulnerabilities and identification of gaps, Cloud4C team will provide a detailed report of security issues found in the network which lead to non-compliance of PCI DSS requirements. Recommendations are also provided to follow PCI DSS requirements.
- To ensure successful and smooth execution of PCS DSS ASV Scan Service, certain information and preparation needs to be in place.
- Intrusion Detection System/Intrusion Prevention System (IDS/IPS): IDS/IPS (if any) should be configured to whitelist the network traffic sourced from the IP addresses of Cloud4C during the scanning period.
- The IP address of the scanner should be whitelisted at the customer network side.
Upon completion of the PCI DSS ASV Scan Service, a detailed report will be sent to client, including the following:
- Executive Summary: Summary of overall compliance status and compliance details of each vulnerability whether true of false are provided.
- Findings: A detailed, technical explanation of the findings of the scan along with recommendation will be given.
- Conclusion & Recommendations: This section provides all recommendations and summary of the issues found during the security assessment.
Service delivery time
The PCI DSS ASV Scan on about 10 External IT Assets can be completed in two business days.