By Tim Cranny
Panoptic Security Inc.
Many merchants, ISOs, merchant level salespeople (MLSs) and even acquirers are unsure about the role vulnerability scans play in the Payment Card Industry (PCI) Data Security Standard (DSS).
This isn't surprising, given that many people in the industry are still uncomfortable with PCI, and the issue of scans in particular has been confused and distorted by vendors, security advisors, pundits and the creators of the standard.
This article will explore how to think about scans, describe what they are (and what they aren't), what to look for in a scan vendor, and where the most common pain points are.
The simplest answer is that the payment brands demand scans of their merchants, thus creating the necessity to have the scans done. But there are also valid, impartial reasons why scans are a good idea and a necessary part of keeping sensitive data safe from intruders.
A huge (and growing) number of merchants use the Internet or web to work with their processors or business partners, or to give their customers easy access to products, services or information.
For them, providing customers access to these computer systems is as essential as a brick-and-mortar business letting customers come in the front door. And, just like doors need locks to prevent access by thieves, computer systems need to be locked down so identity thieves, hackers and vandals don't get in.
External vulnerability scans do not actively perform security functions by attacking attackers; they are not like a drug that actively fights disease. They are more like a medical test to see if you are vulnerable to a particular disease.
Another analogy people use is that scans are like the security guard who comes around the building each night, rattling the doorknobs to make sure the locks are being used and working properly.
With cyber criminals, protecting against attack means both active security measures and regular scans/tests of their effectiveness.
External vulnerability scans consist of a series of fairly simple tests performed by a computer outside of your company and applied to computers you have that can be reached by that outside computer.
These tests basically check to see if your computers look likely to resist and ignore attacks or if they can be fooled into responding when they shouldn't. These tests can be done remotely and via automation, meaning they can be performed quickly, simply and cheaply.
Much more detailed types of tests (called penetration tests rather than vulnerability scans) can be performed, but they take more time, effort and expertise, and they are correspondingly more expensive.
It might help to compare the quick and simple vulnerability scan to the blood-pressure test you get from a nurse: it's useful and important, but don't confuse it with the more expensive and time-consuming tests you'd get from a pathologist.
The PCI DSS basically says that if a merchant's systems can be scanned, they must be scanned. The only merchants who escape the requirement are those who can't be scanned because they don't have computers or those whose computers aren't normally connected to the Internet (they either have no connectivity to public networks or have intermittent connectivity via dial-up rather than constant connectivity via broadband).
Merchants can only get scans from a company that has been certified by the PCI Security Standards Council as an Approved Scanning Vendor (ASV). ASVs are listed on the council's website at www.pcisecuritystandards.org/pdfs/asv_report.html.
The reason for requiring vendors to obtain approval before conducting scans is to make sure minimal standards are kept. Without this, both the price and quality of scans would quickly fall to zero in a vendor race-to-the-bottom.
Scans must be performed at least once a quarter. They need to be done regularly for the same reason that security patrols of buildings or medical checks need to be done regularly: being safe today does not mean you'll be safe tomorrow. Too many things can change inside your world or externally, including the emergence of new types of threats designed to get past your defenses.
The role of scanning in satisfying PCI requirements is an area that confuses a great number of people in three primary ways:
Get the test, and fix any problems it identifies, but also protect your business from other threats. The SAQ is not perfect, but it gives merchants and their ISOs and banks a good place to start in identifying and dealing with potential threats.
I regularly see a few repeated problems that ISOs and merchants have with the scanning process. The top issues include:
This problem is going to become more complex with time. For example, the old distinctions between dial-up and broadband services are blurring in a world with growing use of Voice over IP (basically dial-up via broadband).
And the issue of merchants' needing scans when using virtual terminals is confusing and frustrating for almost everyone involved.
One strong sign of this confusion that I often see is ISOs who regularly and dramatically underestimate the number of the merchants in their portfolios who need scans.
A significant number of merchants have trouble when confronted with the world of modern networking - Internet protocol (IP) addresses, public versus private, loopback addresses, ports, and acronyms like NAT, TCP, DNS and so on.
The problem is going to get worse in some respects: in the next 12 months more people be will forced to use IP version 6, which is a necessary upgrade but will likely make PCI compliance more messy and complicated for the average merchant, at least initially.
Because of the way PCI has set up the scan requirements, ISOs must work with an ASV rather than do the scans in-house. In choosing an ASV, ISOs need to remember that scans are all about two things: technical details (like the pileup of geek terms above), as well as support and communication.
ISOs and MLSs need to make sure that they or their partners are prepared and able to handle both of these issues.
Doing so will make the difference between expensive failure and confusion on the one hand and more content and lower-maintenance merchant customers on the other.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next