Conducting routine network vulnerability scans is a necessity for many organizations to remain in compliance with various frameworks and laws. PCI-approved network vulnerability scans are often seen in the spotlight due to their regulatory backing. However, are they comprehensive enough? This article delves into the nitty-gritty of PCI-approved scans versus non-PCI scans, shedding light on why the latter could be a more exhaustive choice for safeguarding your organization.
Understanding the PCI Framework
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies accepting, processing, storing or transmitting credit card information maintain a secure environment. It’s applicable to any entity that deals with payment cardholder data. One of the mandates of this framework is the requirement for periodic network vulnerability scanning to identify and rectify potential security loopholes.
The Stakes of PCI Scans
Various stakeholders like banks and merchant-service companies often require merchants to undergo PCI scans and submit the results. Failing a PCI scan can result in a bumpy ride for your merchant account. Furthermore, some scanning vendors automatically submit your scan results to these stakeholders, irrespective of whether the scan was passed or failed, adding an extra layer of scrutiny and risk to the process.
The Role of ASVs in PCI Scans
PCI DSS necessitates that official scans be carried out by an Approved Scanning Vendor (ASV), a company accredited by the PCI Council to conduct external vulnerability scanning services. This mandate ensures a level of standardization and trust in the scanning process, albeit with some unexpected costs.
The Speed-Accuracy Trade-off
Most PCI scans balance speed and completeness. The underlying reason is that some scanning engines are resource-intensive and can potentially disrupt your infrastructure. The PCI Council thus compromised on accuracy. PCI scans focus only on hosts responsive on a subset of common ports, for example:
| TCP Port | Typical Service |
|---|---|
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP |
| 53 | DNS |
| 80 | HTTP |
| 88 | Kerberos |
| 110 | POP3 |
| 111 | RPC |
| 135 | MS RPC |
| 139 | NetBIOS |
| 443 | HTTPS |
| 445 | Microsoft-DS |
The Comprehensive Nature of Non-PCI Scans
On the flip side, non-PCI scans present a broader spectrum of examination by being configured to meticulously probe every TCP and UDP port. This exhaustive sweep is not just about numbers, it extends to scanning more hosts which potentially lead to uncovering a trove of vulnerabilities that might be lurking in the shadows. Unlike the PCI scans, the non-PCI counterparts don’t just skim the surface; they delve deep, often unveiling vulnerabilities that could have remained undetected under the less rigorous PCI scans. Moreover, the customizability of non-PCI scans allows for a tailored approach. Organizations can tweak the scanning parameters to align with their operational environment, risk appetite, and compliance requirements. This degree of customization facilitates a more nuanced understanding of the network’s security posture, enabling organizations to not just respond to the identified vulnerabilities but to enhance their overall security framework proactively.
Privacy Advantages
The realm of non-PCI scans comes with a notable advantage – privacy. Unlike PCI scans where the results, often including the list of vulnerabilities, are shared with external stakeholders, the findings of non-PCI scans remain a private affair. This privacy grants organizations the liberty to scrutinize their security framework in-house before venturing into the official PCI scans. The privacy aspect is more than just about keeping the findings under wraps; it’s about having the time and the autonomy to amend the identified vulnerabilities without external pressures or deadlines. This breathing space is crucial as it allows for a more thoughtful and thorough remediation process. It ensures that when the time comes for official PCI scrutiny, the reports presented are pristine, reflecting a robust and resilient security posture.
Our Recommendation
We advocate conducting full non-PCI network vulnerability scans as frequently as reasonable to ensure a robust security posture. Concurrently, engage an inexpensive ASV to provide quarterly PCI scans as a formality, satisfying the regulatory requirements without compromising on a thorough examination of your network’s security.
While PCI-approved network vulnerability scans form a crucial part of compliance, they should not be the sole reliance for ensuring network security. It’s prudent to embrace a holistic approach by incorporating exhaustive non-PCI scans for a well-rounded defense against the nefarious digital threats lurking in today’s complex digital landscape.
ScanMy.Cloud provides exhaustive network vulnerability scans beyond basic PCI requirements using the industry-leading Qualys® scanning engine. You can schedule your scans at any interval, such as quarterly for PCI compliance, and run ad-hoc scans after any significant changes to your network or hosts.