PCI Vulnerability Scanning
PCI vulnerability scanning can seem like a labyrinth for small organizations, especially those who are unfamiliar with everything it entails. But it's a high-stakes issue, both from a financial and IT standpoint. And it's an issue that managed service providers (MSPs) and other IT professionals must understand to best serve their clients.
The Complex World of Credit Card Data
It’s no shock to say that credit cards are important for business. They've become a go-to form of payment across economic sectors.
Healthcare firms, online merchants, financial services companies — all have come to realize the benefits of paying with plastic. Simply put, credit cards have become a preferred way of doing business.
The numbers speak to this point. A 2014 survey found that 35 percent of consumers prefer to pay with credit cards.
It's not hard to see why. Credit cards are simple to use. They’re less burdensome than stopping by an ATM. And they offer a short-term infusion of money, so consumers don’t have to carry bundles of cash when making large purchases.
Although credit cards are popular among consumers, merchants know that the story is complicated on the other end. The challenge has to do with remaining PCI compliant and working through the complexities of PCI vulnerability scanning.
What is PCI?
PCI stands for Payment Card Industry, which is governed by the PCI Security Standards Council. This group, which was founded by credit card companies, issues standards to protect credit card transactions. Organizations that process credit card data must follow these standards. Though the council’s rules can be strict—and their fines large—it's important to note that the group is self-regulating; it's not part of any country’s government.
The hallmark of the council is a rule set known as the Data Security Standards (PCI DSS). These standards are the rules that businesses and other organizations must follow if they want to process cardholder data.
The Data Security Standards can be a source of headaches for many smaller organizations. It's important to remember that these standards are motivated by an important goal.
A Focus on Security
The overarching goal of PCI standards is to secure all credit card transactions. Simple enough. Still, this goal has consequences that reach across every industry and affect the broader economy.
The reason has to do with trust. Trust is an invaluable economic asset. It’s the grease that allows business to continue. Consumers need to know that the products they buy are safe, and that merchants represent the truth in their sales pitches.
With the advent of credit cards, consumers also require trust in the security of their form of payment. The consequences of poor credit card security can be large.
Likewise, a breach of trust can be devastating to business. Consumers want to know that, after handing over their credit card information, they won't have their identities stolen or their credit histories ruined. At the same time, when a business suffers from a data breach, it may find itself losing business as consumers flee to competitors that seem to offer better security.
The issues surrounding cardholder data security have grown increasingly urgent in the last several years. Consumers have been regularly reminded that even large companies, like Target and Home Depot, can suffer from a security breach with tens of millions of financial records accessed by hackers. Data breaches have grown more and more common, with nearly 50 percent of Americans having had their personally identifiable information stolen in 2014.
This speaks to the overarching goal of the PCI standards, as well as PCI vulnerability scanning. Organizations must take steps to secure their credit card data. It's no surprise that the industry itself created its own set of security standards. It's good for business.
So, how do organizations stay in compliance with the standards?
The PCI Data Security Standards establish wide-reaching rules for those who process cardholder data. The requirements include:
- Maintaining a secure network. Organizations have to implement and maintain firewalls as a means of protecting cardholder data. They must also eschew default passwords for their systems.
- Data encryption. All cardholder data has to be encrypted on public networks.
- Establishing programs to manage vulnerabilities. Organizations must protect themselves against malware and viruses, along with a host of other security vulnerabilities. They must maintain a set of processes to keep themselves secure.
- Data-access limitations. Organizations must significantly limit access to credit card data. They must also establish identification and authentication processes as a prerequisite to data access.
- Test networks. Organizations have to regularly monitor and test the security of their systems, as well as access to the networks that store credit card data.
- Develop and maintain a security policy. Additionally, organizations must establish a clear policy to establish these practices.
The PCI Data Security Standards go into much greater detail with these requirements. And in each category, organizations are required to demonstrate compliance. This is where PCI vulnerability scanning comes in.
How to Show Compliance
Businesses have to make a number of moves to show that they are in compliance with the Data Security Standards.
Compliance begins with a familiarity of the standards themselves, according to PCI experts. A helpful document is the standards’ quick reference guide. Next, organizations should take stock of their operations, spanning business practices and network practices.
Some companies only need to perform a self-assessment to show their compliance with the standards. Others may need to contract a third-party assessor, however. This assessor will closely consider a business’ network, as well as its organizational practices.
Which kind of assessment is right for which type of organization? The requirements differ, in part, on the use of pay terminals. Organizations face a different set of evaluation requirements if they use pay terminals or if they use e-commerce to process transactions.
Some organizations store cardholder data in networks with external-facing IPs. These companies must perform a thorough vulnerability scan to identify the risk to cardholder data. Scans must be conducted on a quarterly basis.
Digging from the Inside and Out
PCI vulnerability scanning serves to identify risks in applications, websites and IT infrastructures. They must be run after administrators make significant changes to their networks. These changes include the installation of new hardware and alterations of firewalls. The scans allow IT professionals to fix these vulnerabilities to minimize the chance of an attack or data breach.
Organizations are responsible for two kinds of scans. One is “internal” and the other is “external.”
Internal scans focus on vulnerabilities that lie inside a network’s firewall. These are risks that lie inside a business’ network.
External scans consider threats from beyond the network. They analyze ways that an outsider could attack a network, and provide actionable information to help administrators patch these vulnerabilities.
The Cost of Noncompliance
Sound complicated? You're not the only one who thinks so.
But despite their complexity, the PCI standards deserve serious attention. They shouldn’t be ignored.
The reason comes down to money. Noncompliant businesses can face large fines. Very, very large fines.
If a business is noncompliant with the Data Security Standards, it can face up to half a million dollars in fines. These fines are issued to an organization's acquiring bank, which may pass the cost to the organization itself.
Huge fines are a significant incentive to remain in compliance. But again, it's worth remembering the larger goal of the Data Security Standards. The standards aren’t about meeting an arbitrary set of demands. Their goal is to put in place important security measures, which protect networks and sensitive data.
The work to comply can seem like a tall order.
But it doesn’t have to be.
A Total PCI Solution
MAX Risk Intelligence from SolarWinds MSP (formerly LOGICnow) is an industry leader in no small part because of features that help with PCI compliance. Our platform offers comprehensive PCI vulnerability scanning with the ability to uncover — and eliminate — any risks to cardholder data. That's true whether you're running a small organization's network or the network of a major enterprise company.
MAX Risk Intelligence offers PCI vulnerability scanning with functionalities that include:
- Data scans that root out at-risk cardholder data, no matter where it resides within a network.
- User lists showing who has access to cardholder data.
- Primary Account Number scans that rely on a host-level authentication pattern.
Our PCI vulnerability scanning covers your entire network, with support for:
- Multiple devices, including computers, tablets, smartphones and servers.
- A variety of data types, including Microsoft Office documents, zip files, archives, databases and much more.
- Numerous platforms, such as Exchange, SharePoint and cloud storage.
PCI vulnerability scanning is an important part of the compliance process. With SolarWinds MSP, you can go far beyond the minimum PCI standards. Protect cardholder data, whether it’s at rest or in transit, with:
- Bulletproof data encryption
- Unique, custom logins
- IP blacklisting and whitelisting
- Two-factor authentication
- Logs of all application activity to maintain audit trails
Why MSPs Choose Intelligence with SolarWinds MSP
Our platform is built to accommodate the specific needs of MSPs. With MAX Risk Intelligence, you gain actionable insights, which allow you to protect your networks from phishing, malware and other external threats. Scans remain light on your systems and cover the broad range of network data and hardware.
Your clients will be thrilled with our PCI vulnerability scanning solutions. The numbers tell the story: MSPs using SolarWinds MSP have a 98 percent client retention rate, in no small part because of the comprehensive tools that our platform offers.
Want to give our solution a try? We offer a free trial that you can get up and running in 10 minutes. That’s less time than it’ll take to explain PCI compliance to your clients.
About SolarWinds MSP
SolarWinds MSP delivers the only 100% SaaS, fully cloud-based IT service management (ITSM) platform, backed by collective intelligence and the highest levels of layered security. SolarWinds MSP MAX products including Risk Intelligence, Remote Management, Backup & Disaster Recovery, Mail and Service Desk – comprise the market’s most widely trusted integrated solution.
Deployed on millions of endpoints across hundreds of thousands of networks, the platform has the industry vision to define and deliver the future of the market. SolarWinds MSP provides the most comprehensive IT security available as well as LOGICcards, the first ever IT notification feature powered by prescriptive analytics and machine learning.
SolarWinds MSP's passion is helping IT professionals secure and manage their systems and data through actionable insights, rewriting the rules of IT.
PCI Security Standards Council: https://www.pcisecuritystandards.org/about_us/
PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1470963512090
Merchant Link: http://www.merchantlink.com/blog/quick-look-pci-compliance-what-your-business-needs-know
PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/PCI SSC Quick Reference Guide.pdf
PCI Security Standards Council: https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf
Focus On PCI: http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html