Passing/defining a PCI DSS internal scan

Billy Austin

As of 30 June 2012, most people have heard that PCI now requires proof of a passing internal vulnerability assessment (Requirement - 11.2.1) on a quarterly basis. It is known that there are "12 Requirements" for PCI but one should be educated that these requirements also expand. See image below illustrating that 11.2.1 includes a part A, B, & C known as testing procedures.

Before understanding PCI DSS in its entirety, one would say '12 requirements, can't be too hard to pass.' But after seeing the example chart and further research, we now know that 12 becomes 200+ very quickly.

screen-shot-2012-10-08-at-10-57-58-pm.pngWe hear the word scans, PCI scans, external scans, internal scans, and etc... Exactly what do these scans include and how many bullets can I check off? Not many vendors can respond to this question. It is safe to say that an internal PCI scan at least incorporates the vulnerability assessment 11.2.1.(a,b & c), knocking off 3 of the 200+ procedures for most solutions.

Being a fanatic security technologist, I started thinking, what if one could knock off as many of these procedures as possible. Line after line research, we discovered that roughly 35+ procedures can be automated with an internal "scan".

Being in a position to innovate and automate, is it really time to side with critics that state PCI is too hard and costly? Not so quick! Remember the goal, make it easy for consumers to purchase with plastic but at the same time protect customer card holder data.

Have a Mac or Windows PC? Within 60 seconds, no software install, perform an "Internal PCI Scan" that covers 11.2.1 and a lot more for free. Performing the scan is easy and contributes to both the security and compliance posture of your organization and protects customer data. Passing the scan are simple remedies such as applying patches, making configuration changes, disabling unwanted services, removing unencrypted card holder data among the alike.

Have faith, I see more automation coming soon. Imagine having vendors work together; scan results auto-populating SAQ Wizards, PCI portals offering both External and Internal Scans, and even mobile scan data. Drop me a line with your comments or research and look forward to seeing you perform a passing scan with MAX Risk Intelligence.