A PCI network vulnerability scan is an automated, high-level test that finds and reports potential vulnerabilities in an organization’s network.

Regardless of size, the Payment Card Industry Data Security Standard (PCI DSS) requires that all businesses run internal and external network vulnerability scans at least once every quarter and after any significant changes to their networks.

A significant change could be an upgrade or modification that may put cardholder data at risk or affect the security of the cardholder data environment. For instance, a significant change could be adding new servers, moving cardholder data to a new server, removing the system that stores cardholder data, and implementing a new system to store cardholder data.

Vulnerability scanning after significant changes should be done in a reasonable period of time. For example, if a company makes significant changes to its system the Thursday or Friday after its quarterly external scan, it should test its changes and conduct vulnerability scanning that weekend.

Importance of vulnerability scanning

The PCI DSS mandates vulnerability scanning because scans are one of the best methods to uncover potential vulnerabilities that could be exploited by malicious individuals.

External PCI network vulnerability scans look for flaws at a company’s network perimeter or website that cybercriminals could exploit to attack the network. Internal vulnerability scans look for network vulnerabilities inside the organization’s network.

Both internal and external scans should cover internal and external IP addresses such as services and ports, checking them for vulnerabilities.

PCI DSS requirement 11.2, also known as the scanning requirement, is one of the most well-known PCI DSS requirements. However, this PCI DSS requirement isn’t just about scanning network components and servers to find vulnerabilities; it’s also about remediating and changing processes to prevent future vulnerabilities. Once the weaknesses are identified, the organization corrects them and repeats the scan until all vulnerabilities have been corrected, based on criticality.   

Vulnerability scanners include different tools and scripts that check for vulnerabilities, including tools operated by approved scanning vendors (ASVs) GUI interfaces, command-line scripts, and open source technologies.

Who performs PCI network vulnerability scans?

Quarterly external scans must be performed by an ASV; however, scans conducted after network changes may be performed by the company’s internal staff.

Make sure that the ASV conducting your external scans isn’t the same person performing your quarterly internal scans. 

Although the ASV may have set up an internal vulnerability scanning tool or appliance inside the company’s network, the ASV is probably not handling the organization’s internal vulnerability scanning requirements. That’s why it makes sense for a company to ensure that someone is performing the internal scanning to ensure PCI compliance.

Internal vulnerability scanning could be done by an ASV, a qualified security professional, or a qualified employee. However, the person who performs the internal scan has to be independent of the scanned component or device.

For example, if an organization has to conduct an internal scan on its firewalls, it must select a person who doesn’t handle firewall administration to run the scans. Even if the firewall administrator is qualified, that individual is not independent of the system that’s being scanned.

A number of tools are available to help you meet the PCI internal vulnerability scan requirement, including vulnerability scanning devices and solutions. Ask your ASV for recommendations.

After the vulnerability scanning and scan report are completed, the organization is responsible for fixing any identified vulnerabilities as the company is responsible to maintain its PCI compliance.