Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Blog de Tenable

Suscribir

More Understanding PCI DSS Scanning Requirements

Nota: This article has been updated to reflect the availability of Tenable.io VM. To learn more about this application and its latest capabilities, visit the Tenable.io Vulnerability Management web page.


Recently, Tenable published a blog, Understanding PCI DSS Scanning Requirements, which provided an overview of the three distinct network vulnerability scanning requirements found in the Payment Card Industry Data Security Standard (PCI DSS). The blog primarily focused on using Tenable.io for your external network vulnerability scanning to meet the PCI DSS 11.2.2 requirement. [Tenable, with Tenable.io, is an Approved Scanning Vendor (ASV) certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform external network vulnerability scanning of a company’s perimeter, or Internet facing systems.]

There is often confusion about the vulnerability scanning requirements for PCI, most likely because there is so much focus on the external vulnerability scanning. ¿Por qué?External scanning is the only one of the three scanning requirements that must be performed by an authorized third party (an ASV). And the vast majority of “small” merchants and service providers are allowed to conduct their own compliance validation by (1) submitting the appropriate Self-Assessment Questionnaire (SAQ) and corresponding Attestation of Compliance (AoC), and (2) submitting evidence of four quarterly (passing) external vulnerability scans performed by an ASV.

In this blog, I will focus on the other two network vulnerability scanning requirements: (1) internal network vulnerability scanning, and (2) internal/external network vulnerability scanning after “significant changes” to your cardholder data environment (CDE).I will also address how you can meet these requirements with either Nessus Professional, Nessus Manager/, Tenable.io™, SecurityCenter™ or SecurityCenter Continuous View™.

In PCI terms, there are two types of entities: your company is either a Merchant (accepting debit/credit cards for the payment of goods and services you provide) who “transmits, processes, or stores, cardholder data,” or a Service Provider (a catch-all category that includes any other company that supports the payment card authorization & settlement and post-settlement activities, or more simply could “impact the security of [your customers’] cardholder data.”)

At a minimum, if you are a Merchant, and you either validate compliance with a QSA company (producing a Report on Compliance or RoC) or you self-assess using either SAQ-C or SAQ-D, then you are required to perform quarterly internal vulnerability scans and rescans as needed to resolve all “high-risk” vulnerabilities in your internal network.

If you are a Service Provider, you are required to perform quarterly internal vulnerability scanning regardless of whether you validate compliance with a QSA or by way of a Self-Assessment Questionnaire.

Nota: Even if your payment processing is performed primarily by a third party and/or your systems are hosted in the cloud, you are still responsible for validating compliance with the PCI DSS, which includes responsibility for vulnerability scanning as described above. If you’re not sure if this applies to you – ask! Don’t assume that the third party company you’ve engaged is doing it for you.

If you’ve determined that you need to perform internal vulnerability scanning, let’s look at the details of that requirement.

Internal vulnerability scanning (PCI DSS 11.2.1)

The PCI SSC provides a definition for an internal scan:

Refers to a vulnerability scan conducted from inside the logical network perimeter on all internal-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE).

The PCI DSS section that deals with network vulnerability scanning is requirement 11.2:

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

The detailed requirement for internal vulnerability scanning states the following:

11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.

There really isn’t much detail provided in the PCI DSS about what constitutes a valid, or qualifying internal network vulnerability scan – they pretty much have left that to the scan vendors to determine what is appropriate. The few detailed requirements are actually found in the PCI DSS Approved Scanning Vendors Program Guide which provides the following recommendations:

  • Applying the detailed requirements for external vulnerability scanning found in the ASV Program Guide to internal vulnerability scanning programs:
    • Be Non-disruptive – no exploitation, denial of service, or degradation of performance
    • Perform Host Discovery – make a reasonable attempt to find all live systems
    • Perform Service Discovery –perform a port scan on all TCP ports and all common UDP ports
    • Perform OS and Service Fingerprinting – primarily used to tailor additional vulnerability discovery
    • Have Platform Independence – scanner must cover all commonly used systems
    • Be Accurate – confirmed vulnerabilities must be reported as well as suspected or potential vulnerabilities

The biggest difference between internal vulnerability scanning and external vulnerability scanning is what the PCI DSS requires in terms of a “passing” scan

The biggest difference between internal vulnerability scanning and external vulnerability scanning is what the PCI DSS requires in terms of a “passing” scan. For external scans all vulnerabilities rated “Medium” and higher must be remediated; but for internal vulnerability scanning only “High” or “Critical” vulnerabilities have to be remediated in order to adhere to the requirement.

The risk ranking for internal vulnerability scanning is determined by you the customer

It is also worth noting that the risk ranking for internal vulnerability scanning is determined by you the customer, in accordance with requirement PCI DSS 6.1 which requires you to “establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high,' 'medium,' or 'low') to newly discovered security vulnerabilities.” The biggest advantage here is that you have the opportunity to take an actual risk-based approach to the overall security of your internal network, which means you can take into account limited access, internal segmentation, likelihood of attack from the Internet, and so forth.

There is also a handful of special “automatic failures” for external vulnerability scanning that in some cases do not apply at all to internal scan results (e.g. open access to databases from the Internet or unrestricted DNS zone transfers).

Vulnerability scanning after significant changes (PCI DSS 11.2.3)

The third type of vulnerability scanning ... is when significant changes occur to the network environment

The third type of vulnerability scanning required by the PCI DSS is when significant changes occur to the network environment, particularly the cardholder data environment. The PCI DSS does not require that these scans be performed by an ASV (for external scanning), only that they are performed by qualified personnel.

What constitutes a significant change? The PCI DSS offers this guidance:

The determination of what constitutes a significant change is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant.

Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. All system components affected by the change will need to be scanned.

There is certainly not universal agreement on what constitutes a “significant change” to your environment, but things such as adding systems or system components, updating OS/application versions, applying patches, changing access rules, or adding new logic or functionality are all worthy of consideration. Tenable would suggest erring on the side of caution if for no other reason than the fact that you are allowed to perform unlimited scanning (e.g. there is no additional cost for additional scans performed).

How Tenable solutions meet these scanning requirements

Any Tenable product may be used to execute vulnerability scans that meet both the internal and scan-after-significant-change requirements found in PCI DSS 11.2.

Tenable.io VM, Nessus Professional and Nessus Manager come with a scan policy template that is acceptable for use in meeting the PCI DSS 11.2.1 Internal vulnerability scanning requirement.

Internal PCI Network Scan

This scan policy template provides the minimum functionality required for an internal vulnerability scan; namely, a comprehensive scan of all TCP ports and common UDP ports as well as omitting things like Denial-of-Service attacks or certain conditions that are exclusive to external vulnerability scanning (that our Tenable.io VM solution provides).If you are a SecurityCenter or SecurityCenter Continuous View customer, there is a similar scan policy template available for use with your deployed Nessus scan engines.

Customers who use Nessus Manager or Tenable.io VM have the added benefit of being able to deploy remote Nessus scan engines to geographically diverse locations such as all of your retail stores or regional offices. Effective vulnerability scanning of remote retail locations has always been a challenge for merchants subject to PCI adherence, but with Tenable.io VM there is no longer the need to attempt internal routing of scan engines and results – you simply manage it all from the cloud.

Whether you are using Tenable.io for your external scanning for PCI today, or you are a long time user of Nessus or SecurityCenter for internal scanning, the good news is that you can use the Tenable solutions that you already love to meet all of your PCI vulnerability scanning requirements – inside, outside, and all over the world.

Para obtener más información:

Artículos relacionados

Noticias de ciberseguridad que le son útiles

Ingrese su correo electrónico y nunca se pierda alertas oportunas y orientación en seguridad de los expertos de Tenable.

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable.

Su prueba de Tenable Vulnerability Management también incluye Tenable Lumin y Tenable Web App Scanning.

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable. Compre una suscripción anual hoy mismo.

100 activos

Seleccione su tipo de suscripción:

Comprar ahora

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable.

Su prueba de Tenable Vulnerability Management también incluye Tenable Lumin y Tenable Web App Scanning.

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable. Compre una suscripción anual hoy mismo.

100 activos

Seleccione su tipo de suscripción:

Comprar ahora

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable.

Su prueba de Tenable Vulnerability Management también incluye Tenable Lumin y Tenable Web App Scanning.

Tenable Vulnerability Management

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable. Compre una suscripción anual hoy mismo.

100 activos

Seleccione su tipo de suscripción:

Comprar ahora

Probar Tenable Web App Scanning

Disfrute de acceso completo a nuestra última oferta de escaneo de aplicaciones web diseñada para aplicaciones modernas como parte de la plataforma Tenable One Exposure Management. Escanee de manera segura todo su portafolio en línea para detectar vulnerabilidades con alto grado de exactitud sin el esfuerzo manual intensivo ni la interrupción de aplicaciones web críticas. Registrarse ahora.

Su prueba de Tenable Web App Scanning también incluye Tenable Vulnerability Management y Tenable Lumin.

Comprar Tenable Web App Scanning

Disfrute el acceso completo a una plataforma moderna para la gestión de vulnerabilidades en la nube, que le permite ver y rastrear todos sus activos con una precisión inigualable. Compre una suscripción anual hoy mismo.

5 FQDN

USD 3578

Comprar ahora

Probar Tenable Lumin

Visualice y explore su gestión de exposición, realice un seguimiento de la reducción de riesgos a lo largo del tiempo y compárese con sus competidores con Tenable Lumin.

Su prueba de Tenable Lumin también incluye Tenable Vulnerability Management y Tenable Web App Scanning.

Comprar ahora Tenable Lumin

Póngase en contacto con un representante de ventas para saber cómo puede ayudarle Tenable Lumin a obtener información de toda su organización y gestionar el riesgo cibernético.

Probar Tenable Nessus Professional gratuitamente

GRATIS POR 7 DÍAS

Tenable Nessus es el escáner de vulnerabilidades más completo en el mercado hoy en día.

NUEVO - Tenable Nessus Expert
Ahora disponible

Nessus Expert viene con aún más funcionalidades, incluyendo escaneo de superficie de ataque externa y la capacidad de agregar dominios y escanear infraestructura en la nube. Haga clic aquí para probar Nessus Expert.

Rellene el formulario a continuación para continuar con la prueba de Nessus Pro.

Comprar Tenable Nessus Professional

Tenable Nessus es el escáner de vulnerabilidades más completo en el mercado hoy en día. Tenable Nessus Professional ayudará a automatizar el proceso de escaneo de vulnerabilidades, ahorrará tiempo en sus ciclos de cumplimiento y le permitirá involucrar a su equipo de TI.

Compre una licencia multi anual y ahorre. Agregue Soporte Avanzado para acceder a soporte por teléfono, chat y a través de la Comunidad las 24 horas del día, los 365 días del año.

Seleccione su licencia

Compre una licencia multi anual y ahorre.

Añada soporte y capacitación

Probar Tenable Nessus Expert gratuitamente

GRATIS POR 7 DÍAS

Diseñado para la superficie de ataque moderna, Nessus Expert le permite ver más y proteger a su organización contra las vulnerabilidades, desde TI hasta la nube.

¿Ya tiene Tenable Nessus Professional?
Actualice a Nessus Expert gratuitamente por 7 días.

Comprar Tenable Nessus Expert

Diseñado para la superficie de ataque moderna, Nessus Expert le permite ver más y proteger a su organización contra las vulnerabilidades, desde TI hasta la nube.

Seleccione su licencia

Compre una licencia plurianual y ahorre más.

Añada soporte y capacitación