{"id":1918,"date":"2021-12-17T09:15:55","date_gmt":"2021-12-17T09:15:55","guid":{"rendered":"https:\/\/www.pcidssguide.com\/?p=1918"},"modified":"2023-10-09T19:28:20","modified_gmt":"2023-10-09T19:28:20","slug":"how-to-successfully-pass-a-pci-compliance-scan","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/how-to-successfully-pass-a-pci-compliance-scan\/","title":{"rendered":"How to Successfully Pass a PCI Compliance Scan"},"content":{"rendered":"\n\n\n\n\n
If you have a business that stores, processes, or transmits sensitive data such as credit card information online, you must comply with the Payment Card Industry Data Security Standards (PCI DSS), which consists of 12 essential requirements to protect customers data.<\/p>\n\n\n\n
Regardless of their size or sales volume, all merchants must follow PCI compliance to prevent security breaches, consumer data theft, and identity theft. Ensuring PCI compliance<\/a> is also critical to building consumer confidence.<\/p>\n\n\n\n See Also: PCI DSS Control Objectives<\/a><\/strong> <\/p>\n\n\n\n PCI compliance is often problematic for businesses. PCI security standards are highly technical, and a company may have trouble understanding how its website and public web applications meet compliance standards.<\/p>\n\n\n\n If you have a website where you get credit card numbers directly from your visitors, you must comply with PCI DSS requirements, and one of those requirements is PCI compliance scans.<\/p>\n\n\n\n See Also: What are the PCI DSS Audit Requirements<\/a><\/strong> <\/p>\n\n\n\n A certified PCI scanning vendor (ASV) runs a series of PCI scans on your website and externally accessible IPs in PCI compliance scans, providing you with a PCI ASV scan report with an actionable vulnerability list and potential solutions.<\/p>\n\n\n\n Passing a PCI compliance scan attempt usually requires changing some of the default settings on your server to be more secure. Some of the most common things to do would be to close ports on the firewall and make sure you are using up-to-date software.<\/p>\n\n\n\n PCI DSS is a security standard for credit and debit card transactions that protect consumers from unauthorized use of their personal and sensitive information. PCI DSS is a solid document outlining the steps needed to establish a secure payment card data security process.<\/p>\n\n\n\n PCI DSS applies to all entities that accept, transmit, or store cardholder data, regardless of the size or number of transactions.<\/p>\n\n\n\n See Also: What is a PCI Approved Scanning Vendor (ASV)?<\/strong><\/a><\/p>\n\n\n\n Four PCI compliance levels are based on credit card transaction volume over 12 months. Level 1 applies to any organization that processes more than 6 million credit card transactions per year. Other PCI compliance levels apply to lower throughput ranges. Each PCI compliance level comes with PCI DSS requirements that become more stringent as you increase from Level 4 to Level 1.<\/p>\n\n\n\n See Also: PCI DSS Compliance Levels<\/strong><\/a><\/p>\n\n\n\n It should be noted that using a third-party provider to process credit card transactions does not exempt your organization from PCI DSS compliance, and it is your responsibility to be PCI compliant. Also, simply using Secure Sockets Layer (SSL) will not make your business PCI compliant. Using SSL is just one step in the PCI compliance process, but it’s not enough.<\/p>\n\n\n\n Non-PCI compliance can result in fines ranging from $5,000 to $100,000 per month until compliance is achieved. High penalties are enough to drive small businesses out of business.<\/p>\n\n\n\n See Also: What are the PCI Compliance Fines and Penalties?<\/strong><\/a><\/p>\n\n\n\n The PCI DSS standard defines cardholder data as a full Primary Account Number (PAN) with any of the following:<\/p>\n\n\n\n There are also specific PCI DSS requirements for software applications:<\/p>\n\n\n\n Make sure all your web applications are protected from known attacks by any of the following methods:<\/p>\n\n\n\n If you qualify for specific Self-Assessment Questionnaires (SAQs)<\/a> or store cardholder data electronically after authorization, you must perform a quarterly PCI compliance scan. PCI compliance scanning must be performed by an Approved Scan Vendor (ASV).<\/p>\n\n\n\n PCI compliance, or vulnerability scanning, is an automated test to identify vulnerabilities in a company’s information technology infrastructure and computer systems that someone could exploit or threaten.<\/p>\n\n\n\n Your bank or payment institution may require regular PCI scans by an Approved Scan Vendor (ASV) to eliminate threats to website subdomains, add-ons, applications, and your payment processor.<\/p>\n\n\n\n An external (ASV) PCI scan involves scanning every public IP address or range on your network. During an internal scan, the focus is on internal hosts in a company’s cardholder data environment. Like external scans, you should run internal scans every 90 days and after the following network changes:<\/p>\n\n\n\n If your business has publicly available web applications, you should also perform application scans.<\/p>\n\n\n\n Before performing a PCI compliance vulnerability scan, you must agree with an ASV’s company to complete the scan. The PCI Security Standards Council certifies security solution providers as scan providers to operate PCI scan services and ensure compliance with PCI DSS requirement 11<\/a>.<\/p>\n\n\n\n See Also: What are the Requirements for PCI DSS Vulnerability Scanning?<\/strong><\/a><\/p>\n\n\n\n PCI compliance scans performed externally and performed quarterly by an approved PCI Scan Vendor (ASV) are mandatory to qualify for PCI DSS (Payment Card Industry Data Security Standards) requirements.<\/p>\n\n\n\n You should scan each website and external IPs that accept credit card information quarterly and submit the ASV-approved report to the purchasing bank. Failure to do so will likely result in you losing your license to accept and process credit card information, which can be disastrous for your business given the popularity of using debit and credit cards.<\/p>\n\n\n\n PCI compliance is a term often feared by business owners. While maintaining PCI compliance is essential to protecting your business and your customers from fraud, the process of keeping you in good standing can be complex and grueling.<\/p>\n\n\n\n Worse, if you receive a failing grade on the PCI compliance scan, it can be challenging to pinpoint what went wrong. Below are common reasons why your PCI compliance scan fails and what you can do about them.<\/p>\n\n\n\n Some popular antivirus programs treat external PCI scanning as an attack and block scanning IPs from accessing your system. Even measures such as a firewall or a spam filter can thwart the scan’s attempts to do its job, as the scan is seen as abnormal behavior for your system.<\/p>\n\n\n\n To fix access issues, try whitelisting the scanning service’s IP addresses. Your credit card processing partner can handle this. Another option is to disable any security software preventing the scan from completing temporarily, but this is not advised because it exposes your computer to potential threats.<\/p>\n\n\n\n Because you are using FTP open or plain text authentication, you may fail a PCI compliance scan. By default, when you connect to the server via FTP, your credentials are sent to the server in clear or plain text.<\/p>\n\n\n\n This means that if someone is sniffing network traffic from your computer to the server, for example, because you are on an open WiFi network, they can compromise the security of your account. Therefore, using an encrypted connection instead of clear and plain text will help protect your account.<\/p>\n\n\n\n The SSL and TLS security protocols are designed to encrypt and secure information transmitted over the Internet. When you navigate to a website whose URL starts with “HTTPS” instead of just “HTTP,” you will see these security measures applied.<\/p>\n\n\n\n SSL is an older protocol and has been updated several times as hackers have found many ways to breach it. The latest SSLv3 protocol has been decoded and is no longer reliable to secure data.<\/p>\n\n\n\n According to PCI DSS and security best practices, the use of all SSL versions (SSLv2 and SSLv3) and initial versions of TLS (TLS 1.0) should be disabled for all open connections to the CDE.<\/p>\n\n\n\n But unfortunately, many websites still use legacy SSL protocols. Your PCI compliance scan will fail if you are still using SSLv3; you must upgrade to the newer and more secure TLS protocol.<\/p>\n\n\n\n Encryption algorithms are designed to encode the content of a string or binary object so that an attacker without the decryption key cannot decipher the content.<\/p>\n\n\n\n Insecure Cryptographic Storage is a common vulnerability when sensitive data is not stored securely. Insecure Encryption Storage is a set of vulnerabilities, not a single exposure.<\/p>\n\n\n\n A common mistake when using cryptography is using algorithms known to be weak or broken. Over the years, many algorithms have been declared broken due to vulnerability to brute-force attacks (like DES or MD5) or flaws in the protocol itself.<\/p>\n\n\n\n Therefore, if you want to pass PCI compliance scans, you should not use your applications’ weak or security vulnerabilities encryption and algorithms.<\/p>\n\n\n\n SSL Certificate with Incorrect Hostname, SSL Self Signed Certificate, and SSL Certificate Expired are SSL Certificate related vulnerabilities.<\/p>\n\n\n\n The recommended solution for SSL Certificate configuration errors is, public ports must have a Valid SSL Certificate signed by a Certificate Authority (CA). This means that the common name must match the target, the issuer must be a CA, and the certificate will not be allowed to expire.<\/p>\n\n\n\n A flaw in your system can cause the PCI compliance scan to fail, leaving hackers free to access your data.<\/p>\n\n\n\n Some payment systems may have a vulnerability where a hacker could log in and bypass security restrictions. Once in the system, the hacker’s actions will not raise red flags as they will be recognized as an authorized user and could cause further damage without being detected.<\/p>\n\n\n\n Fortunately, patches for the most common vulnerabilities are available, and you should keep your systems up to date with these patches.<\/p>\n\n\n\n One of the most common PCI compliance issues for a failed PCI scan is using open ports on your servers that are considered unsafe. It’s also important to note that it may not be a real security risk if your website fails for an open port due to a PCI compliance scan. You should question most such findings as false positives.<\/p>\n\n\n\n It’s important to note that changing your firewall settings can lock you out of your server if done incorrectly, so be careful when making your firewall settings.<\/p>\n\n\n\n SSL certificates are useful little data packets that identify a particular person, company, or website. You can think of the SSL certificate as proof that the entity is whom they claim to be.<\/p>\n\n\n\n If your website requests any login information, your customers’ web browsers must have an SSL certificate so that they can trust it. Without a valid and reliable SSL certificate, the browser cannot determine whether the customer is shopping from your company or a hacker pretending to be your company. If your SSL certificate is missing or not installed properly, your PCI scan will fail.<\/p>\n\n\n\n Many businesses integrate with a third-party service to provide additional features to their customers. Examples are an FTP remote management service that allows your customers to upload files directly to your website or a remote login feature that allows technical support to assist a customer with a problem.<\/p>\n\n\n\n Most of these services accept unencrypted passwords, which can be disastrous if a hacker steps in, and therefore your scan will fail. To fix this, make sure your third-party apps are safe. If your current ASV scan vendor cannot meet your needs, you may need to consider switching providers.<\/p>\n\n\n\n A PCI vulnerability scan identifies security threats and vulnerabilities in your application. Any issues detected in PCI compliance scans should be addressed immediately.<\/p>\n\n\n\n See Also: PCI Web Application Security Requirements<\/strong><\/a><\/p>\n\n\n\n Here are some of the most common web application attacks that PCI scans protect you from:<\/p>\n\n\n\n PCI compliance scans are covered by requirement 11 of the PCI DSS standard, which focuses on network and application security. PCI DSS requirement 11 specifies that scans must be run quarterly. In other words, you need to run your scans at least every 90 days, and your scans should be passing. You should also send a summary of your past scans to the relevant bank or payment institution.<\/p>\n\n\n\n If your scan is unsuccessful, you should rescan after fixing the issues and verify a successful result or that all high-level security vulnerabilities have been resolved. The PCI DSS standard defines five levels of vulnerability, ranging from low to urgent. A high-level vulnerability is any issue between three and five levels.<\/p>\n\n\n\n It’s also important to note that if you make significant changes to your app within 90 days between scans, you should run a new scan to ensure no new vulnerabilities are discovered.<\/p>\n\n\n\n The 90-day window applicable to PCI compliance scans is the minimum and running scans more often will also increase your security level. Failure to perform regular PCI scans can result in non-compliance fines and damage to your business.<\/p>\n\n\n\n If you lose your merchant status, you may lose your ability to accept credit cards. Worse still, if you get hacked, your company’s reputation may never recover.<\/p>\n\n\n\n Scans must be performed by a PCI Approved Scan Vendor (ASV), which provides the necessary services and tools to perform the external vulnerability scanning required under PCI DSS.<\/p>\n\n\n\nWhat Are PCI Compliance Scans, and Do They Apply to Your Company?<\/strong><\/h2>\n\n\n\n
\n
\n
\n
\n
Why Your PCI Compliance Scan Failed and What to Do<\/strong><\/h2>\n\n\n\n
1. Access Errors<\/strong><\/h3>\n\n\n\n
2. Use of Insecure Protocols<\/strong><\/h3>\n\n\n\n
3. Outdated Security Protocols<\/strong><\/h3>\n\n\n\n
4. Chipper\/Algorithm Vulnerabilities<\/strong><\/h3>\n\n\n\n
5. SSL Certificate Configuration Errors<\/strong><\/h3>\n\n\n\n
6. Vulnerable Authentication Information<\/strong><\/h3>\n\n\n\n
7. Unsecured Open Ports<\/strong><\/h3>\n\n\n\n
8. Failed SSL Certificate Validation<\/strong><\/h3>\n\n\n\n
9. Sloppy Third-Party Security<\/strong><\/h3>\n\n\n\n
How to Properly Run PCI Compliance Scans<\/strong><\/h2>\n\n\n\n
\n