Businesses that accept credit cards and other forms of electronic payment from their customers are required to keep their sensitive personal and financial information safe by complying with the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Secure Standards Council (PCI SSC). A critical component of PCI compliance is PCI scanning.
“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software,” notes Requirement 11 of the PCI DSS. “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
Merchant-based vulnerabilities can crop up practically anywhere in the processing system, including point-of-sale devices (terminals), personal computers or servers, wireless hotspots or web shopping applications, paper-based storage systems and in the unsecured transmission of cardholder data to service providers. They can even be found in systems operated by service providers and financial institutions, which is why they are also required to be PCI compliant.
A PCI scan searches out and identifies the vulnerabilities in your credit card processing network and operating systems, enabling you to correct them and improve overall security. A scan is required if you electronically store cardholder data (including credit card account numbers, PINs and expiration dates) post authorization, or if your processing system is connected to the Internet.
The PCI DSS stipulates that internal and external network vulnerability scans should be run at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall rule modifications and product upgrades.
A PCI scan is performed by using an automated tool that non-intrusively searches your network and web applications for vulnerabilities based on the external-facing Internet protocol (IP) address you provide. The scan identifies weaknesses in the operating systems, services and devices that could be targeted by hackers to gain access to your company’s private network.
Important security measures that are tested include usernames and passwords, security credentials and authentication methods.
Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). Typically, only merchants and service providers with external-facing IP address are required to submit a passing scan each quarter to their credit card processor to validate their PCI compliance.
Failure to undergo regular PCI scans can have serious implications for your business, including an increased risk of data breach, loss of PCI compliance, hefty fines and penalties and loss of your merchant account and, with it, your credit card processing privileges for an extended period of time.
As a PCI-compliant credit card processor, Merchant Express® reinforces the important role played by PCI scans in protecting all of our merchants, their businesses and customers. Consult with one of our representatives today to help ensure that your operation’s credit card processing is as secure as it can be from the threat of data breach.