The PCI DSS requires that different types of scans be performed different intervals. We are often asked what the difference is between external ASV scans, internal vulnerability scans, penetration tests, segmentation tests, and application code scans. It is important to understand the differences between these scan types and the corresponding requirements of each:
Quarterly External Vulnerability Scans (Requirement 11.2.2) - These scans must be performed at least once every three months by an external scanning company that is certified by the PCI council as an Approved Scanning Vendor (ASV). These scans cannot be performed by an internal employee of your organization. All the external IP addresses for your in-scope locations should be included in these scan reports. The objective of this requirement is to identify any vulnerabilities that may exist on your systems that could potentially be exploited by an attacker from the internet. PCI scans performed by ServerScan are ASV-certified and satisfy this requirement.
Quarterly Internal Vulnerability Scans (Requirement 11.2.1) – As the name implies, internal vulnerability scans need to be performed at least once every three months from inside your network(s). These scans can be performed by any individual who is experienced in vulnerability scanning. Most organizations use an internal employee to perform these scans with an automated vulnerability scanning solution such as OpenVAS. The objective of this requirement is to identify any vulnerabilities that could be exploited by an attacker from inside your network. At a minimum, any “critical” or “high” vulnerabilities must be resolved and verified by rescan reports.
Annual Penetration Testing (Requirement 11.3)- These comprehensive tests must be performed at least once a year by a qualified penetration tester to verify that complex manual methods cannot be used to gain unauthorized access to your systems. Penetration tests are usually performed by a third party, but can also be performed by a qualified internal individual with organizational independence; this means that the person performing the penetration test should not be the same person with responsibility for configuring or managing the systems being tested. Penetration testing should be performed from a public perspective (from the internet) and from an internal perspective (from your out-of-scope networks, if applicable). Penetration tests performed by ServerScan satisfy this requirement.
Segmentation Testing (Requirement 11.3.4) – Segmentation Tests are specialized internal penetration tests that are required of organizations that use segmentation to completely isolate their cardholder data environment networks from other internal networks. Segmentation tests verify that no access is allowed from out-of-scope networks to in-scope networks. Segmentation tests must be performed annually for merchants and every six months for service providers. Segmentation penetration tests performed by ServerScan satisfy this requirement.
Application Reviews (Requirement 6.6) - Public facing applications must further be protected against known attacks by one of the following two options:
- A web application firewall (WAF) in place to monitor all inbound traffic and protect against known web-based attacks.
- An annual application vulnerability review (Many organizations use code vulnerability scanning utilities to analyze custom web application code annually.)
All of the above scan requirements must be repeated frequently as indicated in the descriptions above. In addition, each of these scans must be repeated after significant changes that could introduce new vulnerabilities to your environment. Rescans are necessary to ensure that changes made don’t introduce new vulnerabilities into your environment. Be sure to retain all of the above scan reports for a couple of years so that you can provide them as evidence of your PCI DSS compliance if requested.
Do you still have any questions about the vulnerability scanning requirements for PCI DSS compliance? Please call our knowledgeable customer support team at 801-852-2337 or email us for help getting started with our external vulnerability scanning and penetration testing services.