Article

FAQ - PCI Scanning

All your PCI Scanning questions answered

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  Essentially any merchant that has a Merchant ID.

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.  The PCIDSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

What are the Merchant levels, how do I know which one I belong to?

Specific requirements will depend on the card brand, however, all merchants will fall into one of the 4 merchant levels based on the number of transaction volume over a 12-month period. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

LevelAmerican ExpressDiscoverJCBMasterCard
1 Merchants processing over 2.5 million American Express Card transactions annually. Merchants processing over 6 million card transactions annually on the Discover network. Merchants processing over 1 million JCBInternational transactions annually. Merchants processing over 6 million total combined MasterCard and Maestro transactions annually.
2 Merchants processing 50,000 to 2.5 million American Express transactions annually. Merchants processing 1 million to 6 million card transactions annually on the Discover network. Merchants processing less than 1 million JCVinternational transactions annually. Merchants with greater than 1 million but less than or equal to 6 million total combined MasterCard and Maestro transactions annually.
LevelVisa IncVisa Europe
1 Merchants processing over 6 million Visa transactions annually (all channels). Or global merchants identified as Level 1 by any Visa region. Merchants processing over 6 million Visa transactions annually (all channels). Or compromised merchants.
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels). Merchants processing 1 million to 6 million Visa transactions annually.
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
4 Merchants processing less than 20,000 Visa -ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. Merchants processing less than 20,000 Visa -ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

What are the validation requirements for my Merchant Level?

The validation requirements for your merchant level depend on the card brand, however, the below offers a generalised description:

  • Level 1 Merchants must have an annual onsite assessment performed by a QSA and quarterlyPCI Scanning performed by an ASV. In addition Visa merchants must also have the Attestation of Compliance form completed by their QSA.
  • Level 2 Merchants must complete an annual Self-Assessment Questionnaire and must all undergo quarterly PCI Scanning performed by an ASV. In addition Visa merchants must also have the Attestation of Compliance form completed by their QSA.
  • Level 3 Merchants must complete Annual Self Assessment Questionnaires and Quarterly PCIScanning (except JCB who does not have merchant levels below 2). Visa Europe also offer the option of using PCI DSS validated/compliant Payment Service Providers, for all payment Service Providers for all payment processing storage and transmission.
  • Level 4 Merchants only applies to Discover, MasterCard and Visa. The compliance validation is determined by the acquirer, recommended validation is as for Level 3 Merchants which includes completing the Annual Self Assessment Questionnaires and undergoing Quarterly PCIScanning with an ASV.

What are the benefits of demonstrating my progress towards PCI Compliance?

The key is demonstrating you are managing a route to compliance. Go to your acquirer with the evidence before they come looking for you. This will help if you have a breach or are threatened with fines. Be proactive and have a response plan beforehand, executing it will provide the acquirer with confidence that you are across the situation.

There are many benefits to becoming PCI certified, in becoming PCI Compliant you are protecting your website from potential security threats through undertaking quarterly PCI scans. The scanning must be undertaken by an Approved Scanning Vendor (ASV), and is an efficient method of checking your site for vulnerabilities that could potentially lead to your customer’s personal information to be stolen. Once alerted to these vulnerabilities it is then important to remediate against these issues to ensure that the information remains secure.

In becoming PCI Certified you will increase your customer’s trust, the perception being that you take IT Security seriously and, therefore, their cardholder data and personal information is secure.

The greatest benefit in becoming PCI certified, is avoiding the consequences that you would face if you don’t become PCI compliant. Merchants that do not become PCI Certified risk having to pay major fines, or not being able to handle credit card data on their website at all if they experience a breach.

Do organisations using third-party processors have to be PCI compliant?

Yes. Just using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, they cannot ignore PCI.

My business has multiple locations, is each location required to be PCI Compliant?

If your business locations process under the same Merchant ID, then typically you are only required to validate once annually for all locations. You must submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV).

How often do I have to scan?

Every 90 days/once per quarter you are required to submit a passing scan to your acquiring bank. Scans are also required following any major changes to the network. Merchants and service providers should submit the scanning Attestation of Compliance according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).

What reports should I receive from my ASV?

You should receive 3 reports from your Approved Scanning Vendor

  1. Attestation of Compliance: states whether your organisation is compliant with PCI from a scanning perspective. It should contain your main contacts details, your address, the ASV’s main contacts details and their business address.
  2. Executive Summary: provides a table with each of your externally facing hosts with a statement of “Compliant” or “Non-Compliant” followed by a list of the vulnerabilities affecting the hosts and whether these vulnerabilities cause a PCI Fail.
  3. Vulnerability Details: provides a list of all the vulnerabilities and which hosts that are affected by them.

How are the vulnerabilities ranked?

Any vulnerability detected during scanning is mapped to the CVSS Base score, the CVSS Base Score is determined by the National Institute of Standards and Technology (NIST) http://nvd.nist.gov/cvss.cfm:

  • CVSS Base Score of 7.0 – 10.0 (the maximum) = High Severity
  • CVSS Base Score of 4.0 – 6.9 = Medium Severity
  • CVSS Base Score of 3.9 or less = Low Severity

What causes a PCI Fail? Can I fail PCI based on a low severity vulnerability?

It is quite unlikely for Low severity level vulnerabilities to be a PCI fail but there are certain exceptions to this. The CVSS Base score is not the only basis for whether a scan passes or fails. A scan can pass with a high and even fail with a low, depending on the type of exploit.

The criteria for PCI Pass/Fail compliance status implemented is calculated based on criteria listed below:

  • Vulnerabilities with a NIST CVSS v2.0 base score of either 4.0 or higher will cause PCIcompliance to fail on the scanned IPs
  • Vulnerabilities that only result in a denial of service vulnerability will pass PCI compliance regardless of its CVSS score
  • Your ASV should use the CVSSv2 score formula to calculate the severity and pass/fail status of any vulnerabilities that do not have a NIST-assigned CVSS score, or have a NIST CVSS score of 0
  • An IP will be considered non-compliant if the SSL version installed on it is limited to 2.0 or older
  • Vulnerabilities that may lead to SQL injection attacks and cross-site scripting will result in a non-compliant status on the corresponding IP
  • Vulnerabilities or mis-configurations that may lead to denial of service are not taken into consideration for PCI compliance
  • The PCI Technical Report will include a list of all vulnerabilities discovered, however the PCIvulnerabilities that drive the pass/fail criteria will be indicated as such.
  • A number of new items, such as the presence of obsolete software or database services, will also cause automatic failure

How do I submit the documentation to my acquiring bank?

Compliance documentation must be submitted via email, fax, post or online (if the service chosen provides the facility to do so).

What are the penalties for noncompliance?

The payment brands may, at their discretion, fine an acquiring bank between £2,500 to £80,000 per month for PCI compliance violations. The bank will most likely pass this fine on to the merchant. If no progress is made after a period of fines being applied, the bank may either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicised, but they can be catastrophic to a small business. 

It is important to be familiar with your merchant account agreement, which should outline your exposure.

What should I do if I’m compromised?

We recommend following the procedures outlined in Visa’s What to Do If Compromised Visa Fraud Control and Investigations Procedures document.

What documents must I submit to demonstrate compliance with the standard?

All merchants, regardless of their level, must submit the certified reports generated using a certified PCI scan service from an Approved Scan Vendor every 90 days. Additionally, all Level 2, 3 and 4 merchants must also submit the Self-Assessment Questionnaire issued by the PCI Security Standards Council annually. Level 1 merchants are subject to an onsite audit of their payment network and do not need to submit the questionnaire.

Where can I find additional information about the PCI Data Security Standard?

All information about the PCI Data Security Standard may be found on the PCI Security Standards Council’s website.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.