PCI

What is the difference between PCI and Vulnerability Scanning?

5 min read
What is the difference between PCI and Vulnerability Scanning?

The McAfee SECURE certification is now TrustedSite Certification. TrustedSite Certification includes an extended portfolio of earned certifications and trustmarks that help alleviate even more concerns of online shoppers. Explore the new features here.

As an online merchant, you know how important your site's security is. Right now, you're likely doing many things that reflect that, like using SSL and regularly scanning your site for malware.

But there's more. If you're not already using it, you're probably at least aware of PCI and vulnerability scanning—but do you actually know what these terms mean, and whether or not you need them?

Read on to find out why these practices are important to your business and how, without them, you could be putting your business and your customers at risk.

What is PCI?

The Payment Card Industry Data Security Standards (PCI DSS) was created by the PCI Security Standards Council (PCI SSC) and is exactly what it sounds like it is—a set of security standards put in place for all businesses who process, store, or transmit credit card data (or other sensitive data).

The standard was created to protect credit card data and reduce credit card fraud. Anyone processing this data—including manufacturers, distributors, retailers, online and offline merchants—must adhere to these standards.

Six Categories of Standards

In order for a business to be deemed PCI compliant, businesses must meet six categories of PCI standards.

scanningvspci_pci_categories@2x-1

In addition, you must protect all systems and devices that capture payment information. These include card readers, point of sale systems, store networks & wireless access routers, digital payment card data storage and transmission, paper-based records that store payment card data, online payment applications, and shopping carts.

scanningvspci_systems_devices@2x-1

Even if you think your website and systems are compliant, it may not always be the case. If you have a brick-and-mortar store and collect payments through a POS system or over the phone, you need to make sure those systems are scanned for security vulnerabilities and are in compliance as well.

What is vulnerability scanning?

Vulnerability scanning is the automated process of proactively identifying security vulnerabilities in a network or website to determine if and where a system can be exploited and/or threatened. This is a best practice for anyone managing a network and/or site.

Scanning services help you anticipate, discover, monitor and remediate threats across apps, services, plugins, and subdomains. If you process, store, or transmit sensitive data then it will most likely be required of you by your merchant bank (aka your acquirer).

Even if your business doesn't process, store, or transmit credit card data, you probably need vulnerability scanning. Whether or not you process credit card data, if you have any public facing assets connected to the internet, you still need to be scanning your environment. If a serious vulnerability does exist, you need to be aware of it—otherwise a hacker could potentially exploit and compromise your system.

It is important to note that scanning is a requirement for becoming PCI compliant, but is not the only step a business must take to do so.

So what are PCI reports?

All businesses that process credit card information are required to submit quarterly attestation of scan compliance reports to their acquirer. Once a passing scan is obtained you can generate and submit the report to your Approved Scanning Vendor (ASV) for approval.

Why is all of this important?

Let's face the facts: criminals want your cardholder data, period. By gaining access to this information, they can more easily steal a person's identity, rack up false charges, or sell it to other bad guys.

As a responsible business owner, it is your duty to protect sensitive cardholder data. Scanning your perimeter and making sure your business is PCI compliant ensures that you are taking the right steps to keep your customer's personal information safe. Without these, you are putting not only your customers at risk, but your entire business as well.

scanningvspci_protect_customers@2x

What if I'm using a platform?

If you're operating your site on a platform like Shopify, chances are you're already in compliance. Shopify is certified Level 1 PCI DSS compliant. This compliance extends to all online stores powered by Shopify.

Most open source platforms, however, are typically not compliant. Check with your platform or hosting provider to find out if your website is already protected. Again, keep in mind if you operate a brick-and-mortar store and take orders in person or over the phone, you will need to take extra measures to ensure you are compliant.

scanningvspci_platforms@2x-2

How can McAfee SECURE help?

Just like TurboTax makes the dreaded process of filing your taxes easier, the McAfee SECURE solutions are here to help walk you through the scanning and PCI process.

As an ASV, our external scanning solution helps you protect your data and achieve PCI compliance necessary to process payments online. Plus, it's one of the easiest ways to safeguard your business against attack.

Our cloud-based scanning and PCI service is designed to help businesses meet their quarterly external scan requirement outlined in chapter 11 (11.2.2) of the PCI DSS. Once passing scans are met and any high severity issues (CVSS score of 4.0 or higher) have been mitigated, attestation of scan compliance reports can be generated and submitted to us for approval. The scanning and PCI solution are built into the same dashboard, allowing you to check everything in one place.

scanningvspci_dashboard@2x

PCI is a reporting option in our scanning solution, not a separate scan. Our scanning solution is designed to scan your entire perimeter. You can choose to apply our PCI services to your in scope assets only.

Note: a self assessment questionnaire (SAQ) will need to be completed and submitted to your acquirer (merchant bank) annually. McAfee SECURE does not provide the SAQ. You can download the questionnaire here.

Wrapping Up

Securing your website and your cardholder data is crucial to the success of your business. One breach (be it big or small) is all it takes for your business to lose credibility. Following these security standards for PCI and scanning will help you continue to build trust with your customers now and in the future.