This guidance is designed for any organisation seeking to comply with the new requirement 11.3 along with its sub requirements 11.3.2. and 11.3.2.1 introduced in PCI DSS SAQ A v4.0 while implementing PCI DSS in their environment. The suggestions outlined in this document are applicable to merchants of all sizes, who are required to complete SAQ A for PCI DSS compliance.
This guidance offers valuable information for merchants who are accountable for implementing the PCI DSS requirements for their businesses. SAQ A is designed for e-commerce merchants who have outsourced their account data functions to third parties that are PCI DSS compliant. Merchants looking into the PCI DSS Reports on Compliance (RoCA) or Self-Assessment Questionnaires SAQ A can discover valuable insights within this document.
The introduction of version 4.0 of the PCI DSS brings forth several new requirements that organisations will be assessed against starting from April 1, 2025. Notably, sections 11.3.2.., 11.3.2.1 introduce significant changes related to merchant compliance requirements.
In Section 11.3, it is emphasised that organisations must quickly identify and address vulnerabilities to decrease the chances of them being exploited and compromising system components or cardholder data. Regular external vulnerability scans at least every three months help in detecting and identifying these vulnerabilities.
This underscores the importance of implementing strong controls to safeguard all components involved in payment transactions.
Getting Familiar with PCI Requirements - 11.3.2.: To ensure the security of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) has set forth specific measures that organisations must adhere to.
Approved Scanning Vendor (ASV) External Scans: This involves conducting regular scans of your systems to identify any security weaknesses or vulnerabilities that attackers could potentially exploit. An external vulnerability scan is performed from beyond the logical network perimeter on any Internet-facing hosts that are either located within or connected to an organisation's cardholder data environment (CDE).
By implementing ASV external scanning, you can strengthen your organisation's security measures and ensure compliance with PCI standards.
The PCI Security Standards Council maintains a comprehensive list of Approved Scanning Vendors (ASVs) who are authorised to conduct scanning services.
To find an ASV, you have several search options available. You can search by company name, product name, region, or simply browse the entire list.
Once you have identified potential ASVs, you need to consider the following four factors before making a decision:
By following these steps and conducting thorough research, you will be able to find an ASV that can help you fulfil requirement 11.3.2.1 of PCI DSS v4 for SAQ A and provide you with an ASV certified report.
When it comes to conducting an ASV scan, you don't have to worry about performing it yourself. ASVs are responsible for handling the scanning process. Once you select an ASV, they will guide you through the setup process.
You will collaborate with the ASV to define the scope of the scan. This involves specifying which systems and IP addresses should be scanned. The scope of scanning tends to be static; however it should be reviewed regularly and validated to ensure the correct systems are scanned.
To identify the scope for external PCI scans, you need to locate all the systems and components that are accessible from the internet and handle cardholder data (CHD) or could impact the security of CHD (such as those that serve iFrames or URL redirects).
The PCI Scope outlines the particular systems, applications, and data that must adhere to PCI DSS requirements. It is essential to precisely define your PCI scope in order to guarantee comprehensive scanning coverage.
The ASV will remotely scan your external facing systems to identify any vulnerabilities that may exist.
Once the scan is complete, the ASV will provide you with a detailed report that outlines the vulnerabilities that were identified during the scan.
This ASV scan report is an important document that helps you understand the security posture of your systems. It provides valuable insights into any weaknesses that need to be addressed. Additionally, the ASV will also provide an attestation to confirm that the scan was conducted in accordance with the PCI Security Standards.
By working with an ASV and obtaining their scan report and attestation, you can ensure that your systems meet the necessary security standards and mitigate any potential risks.
After completing a scan, it is important to take action (remediate) on the identified vulnerabilities that have a CVSS score of 4.0 or higher.
It is necessary to conduct rescans as needed to verify that the vulnerabilities have been resolved.
After the completion of the scan and the generation of the report, the ASV will provide you with it. The report will only be deemed "certified" once the ASV confirms its validity. Collaborate with your selected ASV to guarantee that they furnish a signed attestation report together with the scan findings.
Additionally, PCI DSS Requirement 11.3.2.1 emphasises the importance of performing external vulnerability scans following any significant modifications made to your system.
Scans reveal weaknesses in your system's setup, programs, and equipment that cyber attackers could use to infiltrate your network without permission and possibly steal sensitive cardholder information.
Evaluate your network through the lens of a potential attacker: By simulating the methods that attackers might use to exploit your systems, you can effectively pinpoint and resolve any vulnerabilities before they are exploited.
Stay ahead of potential threats by proactively patching vulnerabilities. By addressing these weaknesses promptly, you can minimise the risk of falling victim to cyber-attacks.
Consistent scans offer a constant evaluation of your security measures, helping you pinpoint patterns and spots that require enhancement. This proactive strategy bolsters your overall protection. Performing regular external vulnerability scans (11.3.2) is crucial in identifying vulnerabilities within your systems that attackers can exploit, thus increasing the risk of data breaches. Neglecting to conduct these scans or failing to address the identified vulnerabilities can leave your cardholder data exposed.
Conducting routine ASV scans is mandatory for PCI DSS compliance. Acquirers act differently across different regions but non-compliance can result in fines, higher transaction charges or in extreme cases losing the ability to process transactions.
While PCI DSS compliance requires ASV certified scan reports to be available at least quarterly, once selected most ASV providers do not limit the number of reports permitted to be generated. Even if not certifying reports, carrying out the scans on a more regular basis ensures the organisation maintains awareness about vulnerabilities that are exposed to the internet.
If you have any questions or require assistance during your selection process, the Foregenix team is available to guide you towards an informed decision. Please don't hesitate to contact us if you need help.