With the release of PCI DSS 2.0 comes a new requirement – verifying that you’ve correctly identified the scope of your cardholder data environment. The PCI DSS compliance community believes, as a general principle, that you should limit the scope of your cardholder data environment to the greatest extent possible. This not only reduces the amount of work you will need to do to comply with the PCI DSS standard, but also reduces the overall risk to your organization by limiting complexity.

Verifying Scope

When a Qualified Security Assessor (QSA) prepares a Report on Compliance (RoC) for your company, they first must identify the scope of their assessment. They’re required to document that they’ve verified your approach in four ways. PCI DSS 2.0 states that they must verify: (continue reading…)

The Payment Card Industry Data Security Standard (PCI DSS) requires that merchants accepting credit cards conduct regular vulnerability scans of their environment in order to identify potential security flaws. Merchants often have questions about the scanning requirements and we provide the answers to some of the most commonly asked questions below. If you don’t see your question answered, feel free to ask it in the comments section!

What vulnerability scans does PCI DSS require?

PCI DSS requires that merchants perform both internal and external vulnerability scans on a regular basis to ensure that your cardholder data environment meets current security standards. The standard requires two different types of vulnerability scan:

• External scans should be performed from outside your organization’s network and include all of your external IP addresses. These scans provide you with a view of the vulnerabilities that a hacker might exploit to gain an initial foothold on your network.
• Internal scans should take place from a sufficient number of locations within your network to assess the security posture of all systems within the cardholder data environment. This provides an internal view of your security and points out flaws that an attacker could exploit after gaining initial access to your network.

(continue reading…)