You’ve likely heard that merchants need to have a PCI compliance scan, a.k.a. network scan or vulnerability scan, in order to achieve PCI Data Security Standards compliance (PCI DSS 3.2). That is partially true. I have been reading up on various requirements and types of scans myself lately, so I thought it would be helpful to share what I’ve learned.
Here it goes.
First, let’s start with the basics. The lingo. A PCI compliance scan is also called a network scan or vulnerability scan or test. I will use the word “scan” from here on out to preserve our sanity. There are both external and internal scans. They are done remotely by an automated computer program to check a merchant’s networks and web applications for vulnerabilities. In simplest terms, external scans identify potential holes outside of a merchant’s firewall that could be easy targets for hackers or malware. Internal scans focus on potential vulnerabilities that may exist behind the merchant’s firewall.
Here are more details about each type of PCI compliance scan.
This is the scan that is the most well-known. Likely because external network scans must be completed by an Approved Scanning Vendor (ASV) according to the PCI Standards Security Council.
Scans are required for merchants whose method of accepting payments is connected to the Internet. Scans are required for PCI Self-Assessment Questionnaires (SAQs) A-EP, B-IP, C, and D.
Merchants are required to have an external scan performed every 90 days to maintain PCI compliance. Some Approved Scanning Vendors allow merchants to sign up for auto scans so that they don’t have to remember to run the scan once a quarter.
The lesser known scan is the one that is done to check for vulnerabilities that may exist behind a merchant’s firewall. It does not need to be completed by an Approved Scanning Vendor.
Certain SAQs require internal scans, Primary Account Number (PAN) scans, and/or mobile device scans to help detect system vulnerabilities, missing security patches, and other common security issues that could be putting their business and their customers at risk of a breach.
If an internal scan is required to achieve PCI compliance, it will be required every 90 days just like the timeline for the external scans.
Other types of “scans”
In addition to external and internal scans, there is also a plethora of other security programs on the market to help protect a merchant from a data breach. The most common of these is endpoint protection, which is sometimes called anti-virus software.
Here are some other resources you might like: