If you need to comply with PCI DSS, the chances are very good that you will need to perform regular compliance scans. This raises some questions: what is a PCI compliance scan; why might you need one; and who can do one?
Companies that need to comply with PCI DSS are met with varying sets of requirements, depending on how much card business they do. Whether they are a merchant or a service provider also has an impact on what their compliance obligations are. However, one requirement that typically applies to even the smallest companies is the need for PCI DSS compliance scans.
So what are these compliance scans? More properly, these compliance scans are called vulnerability scans. A trusted third party, known as an Approved Scanning Vendor (ASV), will try to contact all of your public-facing computers, and look for known issues with them. How do they know all of your public facing computers? You tell them when you set up the service!
Compliance Scan Reports
After performing a scan, your ASV will produce a report with you listing any issues. In order to be considered compliant, your ASV needs to scan all of your public-facing computers and find no issues. If they find issues, they will be listed in the scan report and your scan will not be considered complaint.
When you get a non-compliant scan, you have an obligation to fix the issues that were found, in a process called remediation. Once you’ve remediated all the issues found, you ask the ASV to scan again. This process continues until you have a “clean” scan report with no adverse issues.
Compliance Scanning Frequency
Your PCI DSS reporting obligations will typically be on an annual basis. But, a year is a long time in IT security, and so compliance scans from your ASV have to be done more frequently. When going through your PCI DSS Assessment (self or otherwise) you will be expected to show a clean scan report for each of the previous four (4) quarters.
If you don’t have all four, then it’s time to consider what compensating controls you can describe and document. The purpose of a compensating control is to demonstrate how you managed to achieve the PCI DSS requirement without having the specific required control in place.
You can read more about the ASV scanning process in our dedicated article on the topic.