The Green Sheet Online Edition
September 13, 2010 • Issue 10:09:01
A primer on PCI scans
Many merchants, ISOs, merchant level salespeople (MLSs) and even acquirers are unsure about the role vulnerability scans play in the Payment Card Industry (PCI) Data Security Standard (DSS).
This isn't surprising, given that many people in the industry are still uncomfortable with PCI, and the issue of scans in particular has been confused and distorted by vendors, security advisors, pundits and the creators of the standard.
This article will explore how to think about scans, describe what they are (and what they aren't), what to look for in a scan vendor, and where the most common pain points are.
Why are scans necessary?
The simplest answer is that the payment brands demand scans of their merchants, thus creating the necessity to have the scans done. But there are also valid, impartial reasons why scans are a good idea and a necessary part of keeping sensitive data safe from intruders.
A huge (and growing) number of merchants use the Internet or web to work with their processors or business partners, or to give their customers easy access to products, services or information.
For them, providing customers access to these computer systems is as essential as a brick-and-mortar business letting customers come in the front door. And, just like doors need locks to prevent access by thieves, computer systems need to be locked down so identity thieves, hackers and vandals don't get in.
External vulnerability scans do not actively perform security functions by attacking attackers; they are not like a drug that actively fights disease. They are more like a medical test to see if you are vulnerable to a particular disease.
Another analogy people use is that scans are like the security guard who comes around the building each night, rattling the doorknobs to make sure the locks are being used and working properly.
With cyber criminals, protecting against attack means both active security measures and regular scans/tests of their effectiveness.
What exactly are scans?
External vulnerability scans consist of a series of fairly simple tests performed by a computer outside of your company and applied to computers you have that can be reached by that outside computer.
These tests basically check to see if your computers look likely to resist and ignore attacks or if they can be fooled into responding when they shouldn't. These tests can be done remotely and via automation, meaning they can be performed quickly, simply and cheaply.
Much more detailed types of tests (called penetration tests rather than vulnerability scans) can be performed, but they take more time, effort and expertise, and they are correspondingly more expensive.
It might help to compare the quick and simple vulnerability scan to the blood-pressure test you get from a nurse: it's useful and important, but don't confuse it with the more expensive and time-consuming tests you'd get from a pathologist.
Who needs scans?
The PCI DSS basically says that if a merchant's systems can be scanned, they must be scanned. The only merchants who escape the requirement are those who can't be scanned because they don't have computers or those whose computers aren't normally connected to the Internet (they either have no connectivity to public networks or have intermittent connectivity via dial-up rather than constant connectivity via broadband).
Who can perform scans?
Merchants can only get scans from a company that has been certified by the PCI Security Standards Council as an Approved Scanning Vendor (ASV). ASVs are listed on the council's website at www.pcisecuritystandards.org/pdfs/asv_report.html.
The reason for requiring vendors to obtain approval before conducting scans is to make sure minimal standards are kept. Without this, both the price and quality of scans would quickly fall to zero in a vendor race-to-the-bottom.
How often should scans be done?
Scans must be performed at least once a quarter. They need to be done regularly for the same reason that security patrols of buildings or medical checks need to be done regularly: being safe today does not mean you'll be safe tomorrow. Too many things can change inside your world or externally, including the emergence of new types of threats designed to get past your defenses.
Do scans satisfy PCI requirements?
The role of scanning in satisfying PCI requirements is an area that confuses a great number of people in three primary ways:
- Scans are not PCI: They are just a piece of PCI, and all merchants need to deal with a much broader range of issues as part of completing their annual Self-Assessment Questionnaire (SAQ). Likening the PCI process to a medical checkup, a scan would be like a blood pressure test: a quick, simple, standard part of the broader checkup - but obviously just one part.
- Passing a scan does not mean you are done with PCI: Passing a PCI scan does not mean you have passed PCI or that you've finished with the paperwork. Merchants, even small ones, are also required to complete an annual SAQ, which covers a range of issues that scans don't even begin to consider.
- Passing a scan does not mean you are safe: A passing scan means you've avoided some obvious dangers, but it doesn't mean you are safe from attackers (a good result on your blood pressure test does not mean you're immune to diabetes, the flu, alligators or drunk drivers).
Get the test, and fix any problems it identifies, but also protect your business from other threats. The SAQ is not perfect, but it gives merchants and their ISOs and banks a good place to start in identifying and dealing with potential threats.
What are the real-world pains?
I regularly see a few repeated problems that ISOs and merchants have with the scanning process. The top issues include:
- Identifying which systems need to be scanned: This is tied in to the PCI question of scope, or identifying what systems need to be worried about and which don't. There are dozens of details to consider, but the general rule should be: when in doubt, include systems in the scan. The cost is low, and it is better to overdo security than to underdo it.
This problem is going to become more complex with time. For example, the old distinctions between dial-up and broadband services are blurring in a world with growing use of Voice over IP (basically dial-up via broadband).
And the issue of merchants' needing scans when using virtual terminals is confusing and frustrating for almost everyone involved.
One strong sign of this confusion that I often see is ISOs who regularly and dramatically underestimate the number of the merchants in their portfolios who need scans.
- Dealing with technology issues: Most of the time people can ignore almost all the technical machinery that makes the web and Internet work, but with scans that ability goes away.
A significant number of merchants have trouble when confronted with the world of modern networking - Internet protocol (IP) addresses, public versus private, loopback addresses, ports, and acronyms like NAT, TCP, DNS and so on.
The problem is going to get worse in some respects: in the next 12 months more people be will forced to use IP version 6, which is a necessary upgrade but will likely make PCI compliance more messy and complicated for the average merchant, at least initially.
- Interpreting and responding to results: When a scan is complete, the merchant gets a report listing which tests were passed and failed. This report can be perplexing for merchants, and that can very quickly create a surprisingly expensive support problem for ISOs.
What should I do about it?
Because of the way PCI has set up the scan requirements, ISOs must work with an ASV rather than do the scans in-house. In choosing an ASV, ISOs need to remember that scans are all about two things: technical details (like the pileup of geek terms above), as well as support and communication.
ISOs and MLSs need to make sure that they or their partners are prepared and able to handle both of these issues.
Doing so will make the difference between expensive failure and confusion on the one hand and more content and lower-maintenance merchant customers on the other.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.