The reason why PCI scanning vendors were put into place is to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

Wikipedia has this to say about internet fraud of credit cards. “Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant’s webserver can be sent directly to the payment processor.”

In order to apply to be able to do this PCI Scanning a company has to first complete a Self-Assessment Questionnaire on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.

Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructures containing externally facing IP addresses. This is very important for your company’s piece of mind.

Who has to comply to PCI scanning? If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually.

Even if you are a small business and only take a handful of cards on a daily basis, you still need to comply with the PCI scanning.

The primary goal of vulnerability scanning is to pinpoint and identify any device inside your network, which may be susceptible or vulnerable to threats. It’s important to remember that not all vulnerability scanners are created equally. And for this reason, you should do your homework prior to utilizing any vulnerability scanning vendor.

As of late, it has become increasingly important that online e-commerce retailers utilize vulnerability scanning in order to protect themselves from the many electronic threats lurking in the dark reaches of the Internet. The use of a vulnerability scanner can help protect your network in your system from hackers and other electronic “vulnerabilities”. The use of the vulnerability scanning is considered to be a proactive approach to protecting yourself and your customers during the process of e-commerce.

Running a vulnerability scan can reveal areas in your network that are weak or prone to attack. This can allow you to make necessary changes to your network in order to protect yourself and your customers.
As with anything else, it is important to note that the use of a vulnerability scanning is not foolproof. It is important to combine the use of a scanning with other means of protection in order to ensure security.

As mentioned before, it’s a good idea to do your homework and review some of the available Approved Scanning Vendors on the market today. You will find that researching available vulnerability scanning vendors to online resources is one of the smartest ways, and the most time efficient ways, to locate a high-quality vulnerability scanner. You may find it in a fit to note that most vulnerability scanners are relatively simple to use. A few simple instructions should have you up and running in no time. If you find the use of vulnerability scanning to be too complicated, it is possible to find a professional to perform the service for you.

Remember, the reputation of your online business could be at stake, spending a little time in proactive research of your network could end up saving you lots of effort, time, and even money in the long run. So start your vulnerability scanning today.

• How many vulnerabilities do you scan for?
• Does your company offer Daily Scanning, Quarterly Scanning or both?
• Does your company offer PCI Seals to place on my website to show my customers that they can trust me? (Very Important)
• Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?
• How long does the process take?
• Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?
• Does the scanning vendor send you the scanning reports frequently or can you download them?
• Will you support me in becoming PCI compliant?

So make sure you save these questions or print out this post so that when you go to these PCI Compliance scanning vendors that you can ask these important questions. Lets go over each question in detail at this time to really understand their unique importance.

How many vulnerabilities do you scan for?

The number of vulnerabilities scanned for on you servers and external facing IP addresses is important due to the very fact that hackers are finding different ways all the time to hack into our information. The company that you go with to provide your PCI scanning needs to stay up-to-date on all the vulnerabilities that are out there.

Does your company offer Daily Scanning, Quarterly Scanning or both?

This is really a preference of yours. A lot of people including myself would want daily scanning mainly for the fact that I would want to show my visitors and customers that my site is scanned daily. But to become compliant with the PCI Security Standards Council all that you will need is Quarterly. So really it is up to you. Most companies offer at least quarterly so that should be a minimum requirement.

Does your company offer PCI Seals to place on my website to show my customers that they can trust me?

Placing a seal on your website letting your visitors know that your site is secure is so very important and is a must. Providing trust and confidence to your visitors and customers mean more sales, higher conversion rate and more repeat purchases. Make sure that the company that you are purchasing from has seals for all of their PCI scanning services.

Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?

To be in compliance with the PCI Security Standards you must be scanned by an approved ASV certified vendor. So when you are shopping around this is a must. Some companies partner directly with ASV certified companies, so and if you can’t find them listed as an ASV certified scanner, simply ask them who their ASV certified partner is.

How long does the process take?

The actual process of becoming PCI compliant can take some time but to actually get your servers scanned should take that long to implement. So this is a great question to ask, if you are impatient like me.

Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?

Having these tools are essential in becoming PCI compliant and your scanning vendor should have these readily available for you with simple explanations of how to fill them out. Granted you can find it all online but it is nice when the scanning vendor has it ready for you to fill out.

Does the scanning vendor send you the scanning reports frequently or can you download them?

Once you have been scanned your PCI scanning vendor should either send you the scanned reports to you by email or have a secure control panel where you can download them easily. It is that simple.

Will you support me in becoming PCI compliant?

Although the PCI scanning vendor really has nothing to do with you becoming compliant other than scanning your website for vulnerabilities and giving you the reporting required. It is important that they guide you through the process and give you a helping hand.

All of these things need to be answered the way you would like to hear them and if they are then you have found the correct company.

Trust Guard offers a great pci scanning comparison chart that you really need to check out. They compare website verification companies and PCI compliance scanning companies. So learn more about Trust Guard PCI Scanning and also compare McAfee Secure and Control Scan.

So there it is a great checklist of items to help you with your PCI compliance scanning vendor searching. Hope it has helped direct you in the correct path.