This guidance is designed for any organisation seeking to comply with the new requirement 11.3 along with its sub requirements 11.3.2. and 11.3.2.1 introduced in PCI DSS SAQ A v4.0 while implementing PCI DSS in their environment. The suggestions outlined in this document are applicable to merchants of all sizes, who are required to complete SAQ A for PCI DSS compliance.
This guidance offers valuable information for merchants who are accountable for implementing the PCI DSS requirements for their businesses. SAQ A is designed for e-commerce merchants who have outsourced their account data functions to third parties that are PCI DSS compliant. Merchants looking into the PCI DSS Reports on Compliance (RoCA) or Self-Assessment Questionnaires SAQ A can discover valuable insights within this document.
Introduction of new requirements (11.3.2. and 11.3.2.1) for PCI DSS v4.0
The introduction of version 4.0 of the PCI DSS brings forth several new requirements that organisations will be assessed against starting from April 1, 2025. Notably, sections 11.3.2.., 11.3.2.1 introduce significant changes related to merchant compliance requirements.
In Section 11.3, it is emphasised that organisations must quickly identify and address vulnerabilities to decrease the chances of them being exploited and compromising system components or cardholder data. Regular external vulnerability scans at least every three months help in detecting and identifying these vulnerabilities.
This underscores the importance of implementing strong controls to safeguard all components involved in payment transactions.
11.3.2., 11.3.2.1 Requirements from PCI DSS v4.0
11.3 External and internal vulnerabilities are regularly identified, prioritised, and addressed.
Getting Familiar with PCI Requirements - 11.3.2.: To ensure the security of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) has set forth specific measures that organisations must adhere to.
Approved Scanning Vendor (ASV) External Scans: This involves conducting regular scans of your systems to identify any security weaknesses or vulnerabilities that attackers could potentially exploit. An external vulnerability scan is performed from beyond the logical network perimeter on any Internet-facing hosts that are either located within or connected to an organisation's cardholder data environment (CDE).
By implementing ASV external scanning, you can strengthen your organisation's security measures and ensure compliance with PCI standards.
Where and how to find an ASV Vendor
The PCI Security Standards Council maintains a comprehensive list of Approved Scanning Vendors (ASVs) who are authorised to conduct scanning services.
To find an ASV, you have several search options available. You can search by company name, product name, region, or simply browse the entire list.
Once you have identified potential ASVs, you need to consider the following four factors before making a decision:
- Expertise and Experience: Look for ASVs that have extensive experience in conducting vulnerability scans and are knowledgeable about PCI DSS requirements. They should have a good understanding of your specific SAQ A requirements.
- Certifications: Ensure that the ASV you choose is certified by the PCI SSC. This certification ensures that they have met the necessary standards and are qualified to perform the required scans.
- Cost: Consider the cost of the scanning services offered by different ASVs. It is important to find a balance between cost and quality to ensure that you are getting value for your money.
- Reporting: Inquire about the reporting process and the format of the ASV certified report. Make sure that the ASV provides a comprehensive report that meets the requirements of PCI DSS v4 SAQ A.
By following these steps and conducting thorough research, you will be able to find an ASV that can help you fulfil requirement 11.3.2.1 of PCI DSS v4 for SAQ A and provide you with an ASV certified report.
When it comes to conducting an ASV scan, you don't have to worry about performing it yourself. ASVs are responsible for handling the scanning process. Once you select an ASV, they will guide you through the setup process.
Here's how an ASV Scan typically works:
Step 1 - Scope Definition for an ASV Scan:
You will collaborate with the ASV to define the scope of the scan. This involves specifying which systems and IP addresses should be scanned. The scope of scanning tends to be static; however it should be reviewed regularly and validated to ensure the correct systems are scanned.
What to Include in the PCI External ASV Scans Scope:
To identify the scope for external PCI scans, you need to locate all the systems and components that are accessible from the internet and handle cardholder data (CHD) or could impact the security of CHD (such as those that serve iFrames or URL redirects).
- Systems Accessible via the Internet: This is the main area of concern. It is essential to conduct scans on all devices with public IP addresses or those accessible from the internet. This encompasses web servers, application servers, firewalls, routers, and Intrusion Prevention Systems (IPS).
- Systems that are connected to the CDE using public IP addresses are all considered within scope, regardless of whether they handle CHD directly or not. Any vulnerability on these systems could potentially be used to breach the CDE.
- URL Scanning: If your organisation operates a public web application that handles cardholder data (CHD), it is crucial to scan the URLs linked to that application. The ASV scan should have the capability to detect any vulnerabilities present in the web application itself.
The PCI Scope outlines the particular systems, applications, and data that must adhere to PCI DSS requirements. It is essential to precisely define your PCI scope in order to guarantee comprehensive scanning coverage.
Step 2 - Scan Execution:
The ASV will remotely scan your external facing systems to identify any vulnerabilities that may exist.
Step 3 - Report Generation:
Once the scan is complete, the ASV will provide you with a detailed report that outlines the vulnerabilities that were identified during the scan.
This ASV scan report is an important document that helps you understand the security posture of your systems. It provides valuable insights into any weaknesses that need to be addressed. Additionally, the ASV will also provide an attestation to confirm that the scan was conducted in accordance with the PCI Security Standards.
By working with an ASV and obtaining their scan report and attestation, you can ensure that your systems meet the necessary security standards and mitigate any potential risks.
The ASV scan report usually consists of:
- Executive Summary: A concise summary of the scan findings.
- Vulnerability Details: An inventory of vulnerabilities that have been identified, along with descriptions, severity levels (critical, high, medium, low), and potential impact.
- Remediation Recommendations: Proposed steps to resolve each vulnerability.
Step 4 - Remediation of vulnerabilities:
After completing a scan, it is important to take action (remediate) on the identified vulnerabilities that have a CVSS score of 4.0 or higher.
Step 5 – Re-scan:
It is necessary to conduct rescans as needed to verify that the vulnerabilities have been resolved.
Step 6 - Obtaining the Certified Report:
After the completion of the scan and the generation of the report, the ASV will provide you with it. The report will only be deemed "certified" once the ASV confirms its validity. Collaborate with your selected ASV to guarantee that they furnish a signed attestation report together with the scan findings.
Additionally, PCI DSS Requirement 11.3.2.1 emphasises the importance of performing external vulnerability scans following any significant modifications made to your system.
Risks mitigated by external vulnerability scanning:
Discovering Vulnerabilities:
Scans reveal weaknesses in your system's setup, programs, and equipment that cyber attackers could use to infiltrate your network without permission and possibly steal sensitive cardholder information.
Evaluate your network through the lens of a potential attacker: By simulating the methods that attackers might use to exploit your systems, you can effectively pinpoint and resolve any vulnerabilities before they are exploited.
Proactive patching:
Stay ahead of potential threats by proactively patching vulnerabilities. By addressing these weaknesses promptly, you can minimise the risk of falling victim to cyber-attacks.
Enhance Security Measures:
Consistent scans offer a constant evaluation of your security measures, helping you pinpoint patterns and spots that require enhancement. This proactive strategy bolsters your overall protection. Performing regular external vulnerability scans (11.3.2) is crucial in identifying vulnerabilities within your systems that attackers can exploit, thus increasing the risk of data breaches. Neglecting to conduct these scans or failing to address the identified vulnerabilities can leave your cardholder data exposed.
Non-compliance with applicable standards:
Conducting routine ASV scans is mandatory for PCI DSS compliance. Acquirers act differently across different regions but non-compliance can result in fines, higher transaction charges or in extreme cases losing the ability to process transactions.
Foregenix recommendations
While PCI DSS compliance requires ASV certified scan reports to be available at least quarterly, once selected most ASV providers do not limit the number of reports permitted to be generated. Even if not certifying reports, carrying out the scans on a more regular basis ensures the organisation maintains awareness about vulnerabilities that are exposed to the internet.
If you have any questions or require assistance during your selection process, the Foregenix team is available to guide you towards an informed decision. Please don't hesitate to contact us if you need help.