The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that accept, process, store, or transmit credit and debit card information maintain a secure environment. Compliance with PCI DSS standards is a crucial element of any company’s security infrastructure, particularly those that accept payment cards. While PCI DSS compliance is best known for its quarterly external vulnerability scans, there are other considerations that should be taken into account.
The first is methodologies. It is important to ensure the methodology utilized by the provider matches the written policies and procedures of the entity seeking the assessment. This includes internal and external network vulnerability testing, internal and external penetration testing, segmentation testing, API penetration testing, and web application vulnerability testing. In addition, all publicly reachable assets associated with payment pages should be submitted for testing.
Another important factor is the ASV scans. These should be attested scans, and the scan report should show enough detail to know what was scanned and the results. The report should include the tester’s credentials and training record, the date of previous and current test execution, dates of remediation testing, all URLs and IP addresses covered, and any additional methodology utilized.
Finally, with the upcoming PCI DSS 4.0, testers must also prove that their test tools are up to date and capable of mimicking all current and emerging attacks. Credentialed internal vulnerability scans are also required.
In conclusion, the PCI DSS Standard and its associated Report on Compliance require more than just quarterly external vulnerability scans. Methodology, ASV scans, and report inclusions should all be taken into account. Additionally, PCI DSS 4.0 adds further requirements, such as the need for up-to-date test tools as well as credentialed internal vulnerability scans.