Posts Tagged ‘ASV’
PCI Scanning
Posted by: PCI Compliance Mentor in Uncategorized on March 28th, 2009
What does PCI stand for? It stands for “Payment Card Industry”. In other words, credit cards such as MasterCard, Visa, Discover, etc. If you are a business owner and accept credit cards for merchant payments, then you will more than likely be required to do a PCI Scanning process through an approved scanning vendor. The following web address will give you a complete list of these approved PCI Scanning vendors: https://www.pcisecuritystandards.org/.
The reason why PCI scanning vendors were put into place is to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
Wikipedia has this to say about internet fraud of credit cards. “Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant’s webserver can be sent directly to the payment processor.”
In order to apply to be able to do this PCI Scanning a company has to first complete a Self-Assessment Questionnaire on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.
Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructures containing externally facing IP addresses. This is very important for your company’s piece of mind.
Who has to comply to PCI scanning? If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually.
Even if you are a small business and only take a handful of cards on a daily basis, you still need to comply with the PCI scanning.
Vulnerability Scanning
Posted by: PCI Compliance Mentor in PCI Scanning, Vulnerability Scanning on February 25th, 2009
Unfortunately, we live in a world where identity theft and other electronic crimes are rampant. As such, the PCI Council has compiled a number of specifications or shall we say requirements that must be put in place by all merchants accepting credit cards online and offline to provide Vulnerability Scanning. Inside a series of specifications as the number of “recommendations” set forth by the PCI Council designed to ensure that your company adheres to the regulations set forth by the Council. One such recommendation is vulnerability scanning.
The primary goal of vulnerability scanning is to pinpoint and identify any device inside your network, which may be susceptible or vulnerable to threats. It’s important to remember that not all vulnerability scanners are created equally. And for this reason, you should do your homework prior to utilizing any vulnerability scanning vendor.
PCI Compliance Scanning Companies
Posted by: PCI Compliance Mentor in PCI Compliance, PCI Scanning, PCI Scanning Vendor on February 13th, 2009
A question that you need to be asking yourself once you have realized the importance of PCI Compliance is, “What PCI compliance scanning company to use?” Once you have asked yourself this question then you need to start searching for a great company to help you on your way to security. Here are some questions to ask those companies:
- How many vulnerabilities do you scan for?
- Does your company offer Daily Scanning, Quarterly Scanning or both?
- Does your company offer PCI Seals to place on my website to show my customers that they can trust me? (Very Important)
- Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?
- How long does the process take?
- Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?
- Does the scanning vendor send you the scanning reports frequently or can you download them?
- Will you support me in becoming PCI compliant?
So make sure you save these questions or print out this post so that when you go to these PCI Compliance scanning vendors that you can ask these important questions. Lets go over each question in detail at this time to really understand their unique importance.
