03 September, 2014

The ABC's of ASV's & PCI

The ABC's of ASV's & PCI
Andrew Kates
Author: Andrew Kates
Share:
 

Secure Ideas prides itself on providing the highest level of service to our customers. We are tirelessly searching for new tools, and methods to use in strengthening security for our clients.  With that in mind, it is with great pleasure that we announce the unveiling of PCIScout.  After undergoing a thorough vetting, and testing process, we were recently made aware that Secure Ideas is now an official Approved Scanning Vendor for PCI.  PCIScout is operational, and we are excited to offer this new service along with the rest of our Scout tools.

Privacy Matters

Security should be a top priority for most organizations that handle sensitive information.  Having strong security measures in place is the first step in protecting against vulnerabilities, and attacks to your system.  With that said, keeping sensitive information private is becoming increasingly difficult in this fast-paced, technological age.  Adhering to a specific standard helps keep a fundamental security structure in place, one standard of which is PCI.

The Payment Card Industry Data Security Standard (PCI DSS) is in place, for companies and businesses that handle payment card data, to follow a uniform standard.  Keeping payment information safe from attack is a key component in organizations being PCI compliant.  To be compliant, an organization must commit to certain testing and auditing performed by contracted, authorized, vendors. If testing finds a company out of compliance, the necessary steps to remediate the issue must be taken immediately.

Finding the Right Vendor

An Approved Scanning Vendor, or ASV is able to perform these security scans for organizations that need to be considered PCI compliant.  An ASV must go through rigorous testing to become approved, and all ASV’s adhere to a specific protocol as defined by PCI, ensuring a consistent testing environment.  A comprehensive list of approved vendors can be found by clicking the link below.
https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php (Secure Ideas is now on the list.)

We know that PCI DSS is a standard used by organizations, and that approved scanning vendors are contracted to complete testing to ensure compliance.  Next, we need to understand who needs to follow PCI and how organizations benefit from compliance.  Simply put, any organization that accepts, transmits, or stores any cardholder data must be PCI compliant.  Failing to obtain such status can result in monthly fines from $5,000 to $100,000 and up. (https://www.controlscan.com/support-resources-qa.php)

PCI has four levels of merchants, 1 through 4.  The number of transactions a company performs per year is how PCI determines what level an organization falls under.  With each level comes a different set of validation requirements an organization must adhere to in order to stay compliant.  If an organization accepts any cardholder data whatsoever, they must be in compliance.  There is no grace period in which companies have to get compliant, so staying proactive is imperative.  Part of PCI requires quarterly scanning, so every 90 days, a passing scan must be submitted.  For a scan to pass, every host must meet the requirements of PCI.  The following link better outlines what constitutes a failing scan. http://www.qualys.com/products/pci/qgpci/pass_fail_criteria/

Is PCI Right For You?

The benefits of being compliant are great, and far outweigh the risks of not following the standard. Customers will begin to rely on an organization if they know their information is secure.  Trust is the greatest asset an organization can gain from being compliant, as it will most likely result in repeat customers, a better reputation in the security community, and the ability to help stop sensitive information from being compromised.

Andrew Kates is a Security Analyst for Secure Ideas. If you are in need of a penetration test, Scout services, or other security consulting services you can contact him at info@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Join the Professionally Evil newsletter

Related Resources