GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The United States of microfinance

Patti Murphy
The Takoma Group


Industry Update

FDIC to seek public input on financial reform rules

Are thermal paper receipts toxic?

PCI SSC summarizes changes to upcoming standards


Research Rundown

Breaches across America
Installment three

Selling Prepaid

Prepaid in brief

Getting started in prepaid

Barry J. Kessler

King of the 'plastic' jungle


The Dodd-Frank Act: What it might mean for issuers and acquirers

Mark Brady and Ross Federgreen
CSRSI, The Payment Advisors

Respect yourself, elevate our profession: Quit selling on price

Jeffrey Shavitz
Charge Card Systems Inc.

Patent, patent, who's got a patent?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Riding the merchant chargeback learning curve

Ken Musante
Eureka Payments LLC

Use three basic desires to your marketing advantage

Daniel Wadleigh
Marketing Consultant

Assignment provisions in ISO and agent agreements

Adam Atlas
Attorney at Law

Social media and the MWAA

Peggy Bekavac Olson
Strategic Marketing

A primer on PCI scans

Tim Cranny
Panoptic Security Inc.

Considering consequences improves results

Jeff Fortney
Clearent LLC

Company Profile

SignatureLink Inc.

New Products

Data management for ISOs, merchants

Nucleus Platform


Organize your life for peace of mind


2010 Calendar of events



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 13, 2010  •  Issue 10:09:01

previous next

A primer on PCI scans

By Tim Cranny

Many merchants, ISOs, merchant level salespeople (MLSs) and even acquirers are unsure about the role vulnerability scans play in the Payment Card Industry (PCI) Data Security Standard (DSS).

This isn't surprising, given that many people in the industry are still uncomfortable with PCI, and the issue of scans in particular has been confused and distorted by vendors, security advisors, pundits and the creators of the standard.

This article will explore how to think about scans, describe what they are (and what they aren't), what to look for in a scan vendor, and where the most common pain points are.

Why are scans necessary?

The simplest answer is that the payment brands demand scans of their merchants, thus creating the necessity to have the scans done. But there are also valid, impartial reasons why scans are a good idea and a necessary part of keeping sensitive data safe from intruders.

A huge (and growing) number of merchants use the Internet or web to work with their processors or business partners, or to give their customers easy access to products, services or information.

For them, providing customers access to these computer systems is as essential as a brick-and-mortar business letting customers come in the front door. And, just like doors need locks to prevent access by thieves, computer systems need to be locked down so identity thieves, hackers and vandals don't get in.

External vulnerability scans do not actively perform security functions by attacking attackers; they are not like a drug that actively fights disease. They are more like a medical test to see if you are vulnerable to a particular disease.

Another analogy people use is that scans are like the security guard who comes around the building each night, rattling the doorknobs to make sure the locks are being used and working properly.

With cyber criminals, protecting against attack means both active security measures and regular scans/tests of their effectiveness.

What exactly are scans?

External vulnerability scans consist of a series of fairly simple tests performed by a computer outside of your company and applied to computers you have that can be reached by that outside computer.

These tests basically check to see if your computers look likely to resist and ignore attacks or if they can be fooled into responding when they shouldn't. These tests can be done remotely and via automation, meaning they can be performed quickly, simply and cheaply.

Much more detailed types of tests (called penetration tests rather than vulnerability scans) can be performed, but they take more time, effort and expertise, and they are correspondingly more expensive.

It might help to compare the quick and simple vulnerability scan to the blood-pressure test you get from a nurse: it's useful and important, but don't confuse it with the more expensive and time-consuming tests you'd get from a pathologist.

Who needs scans?

The PCI DSS basically says that if a merchant's systems can be scanned, they must be scanned. The only merchants who escape the requirement are those who can't be scanned because they don't have computers or those whose computers aren't normally connected to the Internet (they either have no connectivity to public networks or have intermittent connectivity via dial-up rather than constant connectivity via broadband).

Who can perform scans?

Merchants can only get scans from a company that has been certified by the PCI Security Standards Council as an Approved Scanning Vendor (ASV). ASVs are listed on the council's website at

The reason for requiring vendors to obtain approval before conducting scans is to make sure minimal standards are kept. Without this, both the price and quality of scans would quickly fall to zero in a vendor race-to-the-bottom.

How often should scans be done?

Scans must be performed at least once a quarter. They need to be done regularly for the same reason that security patrols of buildings or medical checks need to be done regularly: being safe today does not mean you'll be safe tomorrow. Too many things can change inside your world or externally, including the emergence of new types of threats designed to get past your defenses.

Do scans satisfy PCI requirements?

The role of scanning in satisfying PCI requirements is an area that confuses a great number of people in three primary ways:

  1. Scans are not PCI: They are just a piece of PCI, and all merchants need to deal with a much broader range of issues as part of completing their annual Self-Assessment Questionnaire (SAQ). Likening the PCI process to a medical checkup, a scan would be like a blood pressure test: a quick, simple, standard part of the broader checkup - but obviously just one part.

  2. Passing a scan does not mean you are done with PCI: Passing a PCI scan does not mean you have passed PCI or that you've finished with the paperwork. Merchants, even small ones, are also required to complete an annual SAQ, which covers a range of issues that scans don't even begin to consider.

  3. Passing a scan does not mean you are safe: A passing scan means you've avoided some obvious dangers, but it doesn't mean you are safe from attackers (a good result on your blood pressure test does not mean you're immune to diabetes, the flu, alligators or drunk drivers).

    Get the test, and fix any problems it identifies, but also protect your business from other threats. The SAQ is not perfect, but it gives merchants and their ISOs and banks a good place to start in identifying and dealing with potential threats.

What are the real-world pains?

I regularly see a few repeated problems that ISOs and merchants have with the scanning process. The top issues include:

What should I do about it?

Because of the way PCI has set up the scan requirements, ISOs must work with an ASV rather than do the scans in-house. In choosing an ASV, ISOs need to remember that scans are all about two things: technical details (like the pileup of geek terms above), as well as support and communication.

ISOs and MLSs need to make sure that they or their partners are prepared and able to handle both of these issues.

Doing so will make the difference between expensive failure and confusion on the one hand and more content and lower-maintenance merchant customers on the other.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios