PCI Vulnerability Scanner
Small and medium-sized businesses have a lot on their plates. These companies face a tall order as they fight to remain competitive in an increasingly complex global market.
Among these challenges, they face one especially tricky obstacle: understanding PCI compliance. Working to find the right PCI vulnerability scanner is a challenge for managed service providers (MSPs) that comes with high stakes for an organization’s finances and reputation.
Living in a Universe of Credit Cards
Online merchants, brick-and-mortar stores, information service companies — each has learned the value of offering the ability to pay with plastic. It’s a preferred way of doing business for customers. In a 2014 survey, for instance, 35 percent of consumers reported that they preferred to pay with credit cards.
But while credit cards offer simplicity and ease for consumers, the story is different on the other end. The reason? For merchants and organizations that manage cardholder data, there’s the always-challenging task of remaining PCI compliant.
PCI, or Payment Card Industry, operates under rules set by the PCI Security Standards Council. Founded by major credit card companies, the council’s goals, among others, is to set security standards for credit card transactions. The council is a self-regulated body — not a government agency.
The council’s Data Security Standards (PCI DSS) lay out the rules for organizations that process cardholder data. And though following the rules can be a complex task, they’re based on an important goal.
The Need for Security
PCI standards serve to ensure the security of credit card transactions. It’s a simple goal. And yet, it has broad ramifications across the economy.
With the understanding that their personally identifiable information is secure, customers more readily offer their trust to those who handle transactions. Moreover, they’re more likely to do repeat business.
At the same time, a business can suffer when data security is breached. Customers seek the confidence knowing that, after they swipe their cards or type their card numbers online, they won’t be the victims of identity theft.
That consideration has become particularly urgent in recent years. In 2015 alone, there were roughly 2,200 confirmed breaches with data loss. Headlines continue to reveal data thefts targeting retail giants like Target and Home Depot.
Which all speaks to the point of the PCI standards — organizations need to take steps to secure credit card data. This, in turn, allows the public to trust credit cards. It’s no wonder that credit card companies founded their own regulatory council.
So, what does it mean to be compliant with PCI Data Security Standards? And how does that affect the selection of PCI vulnerability scanners?
As mentioned, the standards are a set of rules for anyone who processes cardholder data. These rules place a broad set of requirements on those who manage cardholder data, including:
Building and Maintaining Secure Networks
Organizations must install and keep up a firewall to protect cardholder data. They must also use custom passwords for their systems.
Encrypting Credit Card Data
All credit card data must be encrypted across public networks.
Maintaining a Program That Manages Security Vulnerabilities
Merchants and others must take steps to protect themselves from malware and viruses.
Setting Strict Limitations on Who Can Access Data
Permission to access credit card information must be significantly limited and protected, with identification and authentication processes in place to access data.
Monitoring Networks and Test Security
Businesses and organizations must regularly test their security systems, as well as track and monitor access to cardholder data and networks.
Implementing an IT Security Policy
In addition to taking the steps above, organizations must make sure that they have a policy in place to codify their security policies.
The security standards go much deeper into the granular requirements of these categories. And for each requirement, credit card processors are expected to demonstrate compliance. They do so partly through PCI vulnerability scanners.
Organizations must take several steps to demonstrate that they’re complying with the Data Security Standards. To reach compliance, according to experts, they should begin by familiarizing themselves with the standards’ quick reference guide. Next, they should evaluate their operations, taking stock of the scope of their networks and business.
In order to demonstrate compliance with the standards, some organizations may need to perform a self-assessment. Others, however, may need to hire a third-party assessor, who will carefully analyze networks and other organizational processes. Which organizations need to follow which kind of assessment? The different requirements depend, in part, on whether an organization relies on pay terminals to process transactions, or whether it is primarily reliant on e-commerce payments.
As for PCI vulnerability scanners? The PCI standards set even more requirements on those organizations whose cardholder data is connected to external-facing IP addresses. According to the criteria, organizations must complete thorough scans to identify data vulnerability. These scans must be done at least quarterly.
Vulnerability scans work to identify misconfigurations and vulnerabilities of websites, applications and IT infrastructures. The scans must also be performed after significant changes have been made to a network. These include the installation of new system components, changes to firewall settings and product upgrades.
The goal of the scans: to help IT managers patch these vulnerabilities and to take steps to minimize attacks.
Organizations must run both “internal” and “external” vulnerability scans. Internal scans identify vulnerabilities within a network’s firewall. These scans take stock of the threats within a business’ network. External scans, on the other hand, analyze the ways in which outsiders can attack a network.
Why Go Through the Trouble?
If this all sounds complicated, you’re not alone. Yet PCI standards are something that shouldn’t be ignored. The reason?
It begins with the fines. Organizations who are noncompliant with PCI Data Security Standards face potentially hefty fines.
In fact, those who are noncompliant face fines of up to $500,000. Remember that the PCI Security Standards Council is not a government agency. It does not directly fine businesses. Instead, the council levies fines against a business’ acquiring bank, which can pass along the hefty fees to the business.
The fines are a major incentive to come into compliance. But perhaps more important is the larger goal. PCI compliance isn’t just about meeting credit card companies’ demands; it’s about instituting important security measures to protect critical data. And it’s about taking steps to gain the public’s trust — and improve business.
So, wouldn’t it be nice if there were an elegant, scalable solution to keep organizations PCI compliant — while maintaining crucial network security?
A Comprehensive Solution
MSPs and IT professionals rely on MSP Risk Intelligence from SolarWinds MSP (formerly LOGICnow) in no small part because of its ability to manage PCI compliance. With features that include a PCI vulnerability scanner, we offer a comprehensive solution to find — and eliminate — any weaknesses in your clients' systems. That’s true whether you’re managing a small network or a large, distributed organization, such as a retail operation.
MSP Risk Intelligence offers internal vulnerability scans for organizations, with several industry-leading features that include:
- A single scan, revealing which credit card data is at risk, no matter how deeply buried it is within a network
- Creation of a list showing all users with access to cardholder data
- Internal vulnerability and Primary Account Number scans using a host-level authentication pattern
- Scanning of a variety of devices — computers, tablets, smartphones, servers — and a variety of data types — like Microsoft Office documents, database files, compressed files, emails, archives and much more
- Coverage of multiple platforms, including Exchange, SharePoint and cloud storage technology
With MSP Risk Intelligence, there’s no need to deploy complex hardware or software. Instead, MSPs benefit from an efficient console that tracks compliance status by location or customer — key for managing multiple clients.
Exceeding the Standards, Beefing up Security
Scanning for vulnerabilities is an important part of the PCI compliance process. But even more important, SolarWinds MSP allows you to far exceed the minimum requirements of the standards.
Our industry-leading security solutions protect cardholder data while it is stored, and as it’s transferred through servers. Our platform accomplishes this with:
- Complete data encryption between customers and SolarWinds MSP solutions
- Unique logins when accessing systems
- Two-factor authentication
- IP whitelisting
- Audit trails by logging all application activity
Part of a Larger Solution
Of course, scanning vulnerabilities with cardholder data is only one piece of the puzzle. For MSPs and IT professionals, it’s important to choose intelligence and to know how else a network may be at risk. Here, too, we’ve got you covered.
With MSP Risk Intelligence, you can run powerful vulnerability scans, protecting you from phishing, malware and other external attacks. You can benefit from host-based scanning and run vulnerability scans across your network, no matter the device or permission issues.
Here’s another benefit: the scans are easy on network resources. And they’re thorough, uncovering vulnerabilities among unpatched software, email, malware threats and threats from VPN connections.
And did we mention that our easy-to-use, scalable solution has a track record of client retention? MSPs using SolarWinds MSP have benefitted from a 98 percent client retention rate.
Visit us online, where you can try our solutions for free. Time to kiss those PCI compliance headaches goodbye.
About SolarWinds MSP
SolarWinds MSP delivers the only 100% SaaS, fully cloud-based IT service management (ITSM) platform, backed by collective intelligence and the highest levels of layered security. SolarWinds MSP products — including Risk Intelligence, Remote Management, Backup & Disaster Recovery, Mail and Service Desk — comprise the market’s most widely trusted integrated solution.
Deployed on millions of endpoints across hundreds of thousands of networks, the platform has the industry vision to define and deliver the future of the market. SolarWinds MSP provides the most comprehensive IT security available as well as LOGICcards, the first ever IT notification feature powered by prescriptive analytics and machine learning.
SolarWinds MSP's passion is helping IT professionals secure and manage their systems and data through actionable insights, rewriting the rules of IT.
PCI Security Standards Council: https://www.pcisecuritystandards.org/about_us/
PCI DSS: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
PCI Security Standards Council: https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf
PCI Compliance Guide: https://www.pcicomplianceguide.org/internal-vs-external-vulnerability-scans-and-why-you-need-both/