A PCI network vulnerability scan is an automated, high-level test that finds and reports potential vulnerabilities in an organization’s network.

Regardless of size, the Payment Card Industry Data Security Standard (PCI DSS) requires that all businesses run internal and external network vulnerability scans at least once every quarter and after any significant changes to their networks.

A significant change could be an upgrade or modification that may put cardholder data at risk or affect the security of the cardholder data environment. For instance, a significant change could be adding new servers, moving cardholder data to a new server, removing the system that stores cardholder data, and implementing a new system to store cardholder data.

Vulnerability scanning after significant changes should be done in a reasonable period of time. For example, if a company makes significant changes to its system the Thursday or Friday after its quarterly external scan, it should test its changes and conduct vulnerability scanning that weekend.

Importance of vulnerability scanning

The PCI DSS mandates vulnerability scanning because scans are one of the best methods to uncover potential vulnerabilities that could be exploited by malicious individuals.

External PCI network vulnerability scans look for flaws at a company’s network perimeter or website that cybercriminals could exploit to attack the network. Internal vulnerability scans look for network vulnerabilities inside the organization’s network.

Both internal and external scans should cover internal and external IP addresses such as services and ports, checking them for vulnerabilities.

PCI DSS requirement 11.2, also known as the scanning requirement, is one of the most well-known PCI DSS requirements. However, this PCI DSS requirement isn’t just about scanning network components and servers to find vulnerabilities; it’s also about remediating and changing processes to prevent future vulnerabilities. Once the weaknesses are identified, the organization corrects them and repeats the scan until all vulnerabilities have been corrected, based on criticality.   

Vulnerability scanners include different tools and scripts that check for vulnerabilities, including tools operated by approved scanning vendors (ASVs) GUI interfaces, command-line scripts, and open source technologies.

Who performs PCI network vulnerability scans?

Quarterly external scans must be performed by an ASV; however, scans conducted after network changes may be performed by the company’s internal staff.

Make sure that the ASV conducting your external scans isn’t the same person performing your quarterly internal scans. 

Although the ASV may have set up an internal vulnerability scanning tool or appliance inside the company’s network, the ASV is probably not handling the organization’s internal vulnerability scanning requirements. That’s why it makes sense for a company to ensure that someone is performing the internal scanning to ensure PCI compliance.

Internal vulnerability scanning could be done by an ASV, a qualified security professional, or a qualified employee. However, the person who performs the internal scan has to be independent of the scanned component or device.

For example, if an organization has to conduct an internal scan on its firewalls, it must select a person who doesn’t handle firewall administration to run the scans. Even if the firewall administrator is qualified, that individual is not independent of the system that’s being scanned.

A number of tools are available to help you meet the PCI internal vulnerability scan requirement, including vulnerability scanning devices and solutions. Ask your ASV for recommendations.

After the vulnerability scanning and scan report are completed, the organization is responsible for fixing any identified vulnerabilities as the company is responsible to maintain its PCI compliance.

Designated Leader, Momentum Leader, and Users Love Us

SAN FRANCISCO – September 23, 2020 – Reciprocity, the company behind ZenGRC, the industry-leading information security risk and compliance solution, today announced ZenGRC has earned three badges on the G2 Fall 2020 Grid Report. This marks the 14th consecutive quarter ZenGRC has been recognized by G2 in its quarterly report. G2 is a peer-to-peer business solutions review website, leveraging customer feedback to rank the best business software and services. In the GRC Platforms category, products are ranked by customer satisfaction and market presence on the Grid Report. The three badges awarded to ZenGRC are:

• Leader: ZenGRC was rated highly by G2 users and had substantial Satisfaction and Market Presence scores
• Momentum Leader: ZenGRC ranked in the top 25% of the GRC Platforms category
• Users Love Us: ZenGRC had at least 20 reviews with an average rating of at least 4 stars

Highlights of ZenGRC-specific customer feedback include:

• 98% of users feel ZenGRC is incredibly easy to work with
• 96% of users believe ZenGRC is going in the right direction
• 96% of users think ZenGRC support is incredible

“We are pleased to announce that ZenGRC earned three badges in the G2 Fall 2020 Grid Report. This is the fourth quarter in a row ZenGRC has earned the ‘Leader’ badge, and the third quarter in a row we’ve earned the ‘Momentum Leader’ badge. This recognition solidifies our position as a leader in the information security risk and compliance industry,” said Jordan MacAvoy, Vice President of Marketing at Reciprocity. “Earning the badge for ‘Users Love Us’ proves we are executing on our goal to deliver a business-critical tool for CISOs to effectively address their audit, risk, and compliance needs.”

For more information on the ZenGRC information security risk and compliance solution, visit www.zengrc.com

Connect with us on Twitter, LinkedIn, and Facebook 

About G2

G2, the world’s leading business solution review platform, leverages more than 680,000 user reviews to drive better purchasing decisions. Business professionals, buyers, investors, and analysts use the site to compare and select the best software and services based on peer reviews and synthesized social data. Every month, more than one million people visit G2’s site to gain unique insights. Co-founded by the founder and former executives of SaaS leaders like BigMachines (acquired by Oracle) and SteelBrick (acquired by Salesforce) and backed by more than $100 million in the capital, G2 aims to bring authenticity and transparency to the business marketplace. For more information, go to g2.com

About Reciprocity

Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. Our ZenGRC platform simplifies the way organizations manage information security risk and compliance, and encourages transparency and trusted relationships with key stakeholders. Find out why the world’s leading companies trust ZenGRC at www.zengrc.com

Reciprocity, ZenGRC, and ZenConnect are trademarks and registered trademarks of Reciprocity in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Reciprocity. All rights reserved.

Reciprocity Media Inquiries:

Kari Curto

press@reciprocity.com

(650) 504-1076