Most companies with PCI compliance obligations are regularly performing their own internal vulnerability scans and reviewing the results. However, vulnerability scanning and remediation is one of the requirements within PCI DSS that companies repeatedly struggle to achieve. One important requirement with PCI vulnerability scanning control is performing quarterly scans.
Understanding the PCI Control 11.2.1
PCI control 11.2.1 states, “Perform quarterly internal vulnerability scans.” On the surface, this control seems simple enough. However, once an auditor begins to dig into this control, it is often the case that the security staff of a company undergoing the audit thought the control was being met when in reality it is not.
The PCI testing guidance for control 11.2.1 details the following testing requirements:
- 11.2.1.a – Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period.
- 11.2.1.b – Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
- 11.2.1.c – Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
The most troublesome of these three testing requirements is 11.2.1.b. As required by 11.2.1.b, all “High” vulnerabilities, as defined by PCI requirement 6.2, found in vulnerability scanning reports are to be resolved and a rescan demonstrating these vulnerabilities are resolved is to be performed and documented.
What is PCI DSS Requirement 6.2?
PCI DSS Requirement 6.2 discusses risk rankings for vulnerabilities and elaborates on these risk rankings and vulnerabilities as follows:
“Risk rankings should be based on industry best practices. For example, criteria for ranking ‘High’ risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as ‘critical,’ and/or a vulnerability affecting a critical system component.”
Where most companies fall short on 11.2.1.b is in the remediation of vulnerabilities and the subsequent rescanning. To ensure compliance with this control, it is imperative to remember to conduct quarterly scanning and, should vulnerabilities be found in the initial scan, remediation and rescanning must also occur in the same quarter.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.