PCI Scanning


Payment Card Industry (PCI) compliance is made up of two parts. The first part is a scan of the merchant's computer and network systems. The second part is self assessment questionnaire covering twelve items. This post discusses the scanning of the merchant's computer and network. The detailed reference for the scanning operation and report is on PCI's web site at https://www.pcisecuritystandards.org/pdfs/asv_program_guide_v1.0.pdf.

The scan must be done by an organization on the Approved Scanning Vendor (ASV) list. The current list is at https://www.pcisecuritystandards.org/pdfs/asv_report.html. At the time of this post there are 156 ASVs. The automated scanning operation is to be non-disruptive (does not crash or cause a denial-of-service) and non-intrusive (does not require installed software or other direct access to the server). The scan must perform the following checks

  1. Host Discovery (identify related servers - e.g., mail, www)
  2. Service Discovery (determine services provided by the server, including FTP, database, and file sharing)
  3. Operating System and service identification


Once the above steps are performed, service scanning begins on every unique host identified in step (1). The service scanning identifies those services that may have potential security vulnerabilities. The scan operation identifies software that is not up to the proper revision (e.g. FTP server software), services that should not be available to the Internet (e.g., database), insufficient use of encryption (e.g., http), wireless access points, malware, and other potential problems.

Not everything identified in the scan is a problem. The PCI Scan process allows you (the merchant) to The automated scan may generate false positives. These can be disputed with evidence that the identified service meets the required security level. The ASV must investigate and report back on any disputed items that cause a failure condition in the scanning report.

Prior to any scan being run on your system, you will get a notice from your merchant bank that you need to be PCI Compliant. The bank may or may not offer the services of an ASV. If it is offered, it is a good idea to seriously consider the bank's offer - it will likely be cheaper than any service you can locate. Schedule the initial scan as soon as possible so there is sufficient time to fix any problems.

Once the scan is run go over it with your web master/designer and/or the web site hosting company. If you are not getting sufficient help from them, it is time to consider changing. You can only be PCI compliant when the web site designer and hosting company are working with you. You will need their assistance getting all identified vulnerabilities resolved.

In addition to passing the PCI scan, it is necessary to answer the appropriate self assessment questionnaire (SAQ). Your merchant bank can help you determine which SAQ to fill out. The details of the SAQ will be covered in a future blog post.