Fotolia

Evaluate

How can vulnerability scanning tools help with PCI DSS compliance?

Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. Expert Mike Chapple explains.

Mike Chapple, University of Notre Dame

My company is looking at products to help with PCI DSS compliance. How do vulnerability scanning tools like Tenable's Nessus Cloud help enterprises achieve compliance? What PCI DSS requirements do they fulfill?

Nessus Cloud is one example of a vulnerability scanning vendor that offers external scanning services as a PCI DSS Approved Scanning Vendor. These vendors perform network-based vulnerability scans of card processing environments from their data centers without any special VPN connection. This provides scan results with an attacker's eye view of an organization's network from the internet.

The full text of the requirement for vulnerability scanning tools reads:

11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

While your company may meet the other internal scanning requirements of PCI DSS by using its own vulnerability scanning tools, this requirement clearly indicates that your company must use an outside vendor to perform the scans to fulfill this requirement. If your company is already using an internal scanning system that provides external scanning services, such as Nessus or Qualys, it may benefit from using the same vendor's service for external scans. This provides the operational efficiency of a single scanning platform and potential cost savings from bundling services together.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover the seven criteria for buying vulnerability management tools

Learn how to use the open source vulnerability scanning tool, TripWire SecureScan

Find out how to use free web app security scanning tools to bolster security

This was last published in June 2016

Dig Deeper on PCI Data Security Standard

A closer look at the changes of PCI DSS version 3.1 PCI DSS version 3.1 includes some minor updates that are far less prominent than the SSL/early TLS changes, but are equally as important. Here's a look at vulnerability scanning and POS device security changes.

How will Shellshock affect PCI DSS audits for enterprises? PCI DSS audits are sure to include a look at Shellshock mitigation. Expert Mike Chapple discusses how organizations can prepare.

Open source PCI DSS: A strategy for cheaper, easier PCI compliance Could open source security software solve PCI DSS compliance problems? Mike Chapple looks at how open source technologies can meet compliance needs.

PCI DSS: Why vulnerability assessment and penetration testing are so hard Enterprises fail to meet requirement 11 more than any other PCI DSS requirement. Expert Mike Chapple explains why and how firms can do better.

PCI 3.0 special report: Reviewing the state of payment card compliance Get an in-depth analysis of PCI DSS 3.0, an illustrated history of PCI DSS and insights on the future of enterprise payment card compliance.

PCI validation: Requirements for merchants covered by PCI DSS Mike Chapple details the PCI validation requirements for merchants covered by PCI DSS.

Related Q&A from Mike Chapple

The difference between AES and DES encryption

Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading

How to prevent DoS attacks in the enterprise

It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading

How should HIPAA covered entities respond to healthcare ransomware?

The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Benefits of using Azure Security Center for security assessments

Author Yuri Diogenes discusses how Azure Security Center helps admins achieve full cloud visibility, conduct security assessments...

Use Azure Security Center to conduct a security posture assessment

In this excerpt from Chapter 4 of Microsoft Azure Security Center, the authors outline how to use the software to ...

How container adoption affects container security

Scalability and efficiency make container adoption an attractive option for enterprises today. Learn how containerization has ...

SearchNetworking

Cisco earnings foreshadow slow down in tech spending

The latest Cisco earnings report indicated a weakening in business confidence as economic uncertainties lowered tech spending by ...

Google cloud network tools check links, firewalls, packet loss

The latest Google cloud network monitoring tools perform connectivity testing and provide firewall and performance metrics.

Benefits of network automation make life easier for IT pros

Network automation software comes with a compelling list of benefits, but IT teams should confirm which processes are automated ...

SearchCIO

Don't let edge computing security concerns derail your plans

Security concerns give many IT organizations pause when considering edge computing. But the potential problems can be overcome ...

Risk-based digital identity benefits CIOs, CMOs and customers

Asking customers to reaffirm their digital identities by sharing private information undermines CX and data security. Instead, ...

Agile practices endure and continue to adapt

As the 20th anniversary of the Agile Manifesto approaches, Agile practices remain vital to software development and are being ...

SearchEnterpriseDesktop

Project Limitless' 5G PC and what desktop admins need to know

Qualcomm and Lenovo have partnered to produce a 5G-enabeled PC that could be a game-changer for remote workers. IT must prepare ...

Jamf Protect offers visibility, protection for macOS admins

Jamf Protect, the new endpoint security software announced at JNUC 2019, provides organizations with a native macOS tool that ...

Compare Windows 10 OS editions to determine the best fit

Organizations deploying Windows 10 must choose between multiple Windows 10 OS editions. Delve into the different features that ...

SearchCloudComputing

AWS, Azure and Google peppered with outages in same week

Cloud outages hit AWS, Microsoft Azure and Google Cloud within the past week, an outcome that suggests customers must take a more...

Google to unveil post-Chronicle cloud cybersecurity plans

Google plans to discuss its cloud cybersecurity portfolio at a conference next week, with the capabilities developed by Chronicle...

Get to know popular cloud monitoring tools

With so many cloud monitoring services on the market, it can be difficult to choose. Review some of the popular tools available ...

ComputerWeekly.com

Home Office Brexit app contains multiple security flaws

The Home Office’s Brexit app may be putting EU citizens’ personal data at risk

Cyber criminals tool up for Christmas fraud season

Organised criminals are trying to cash in on the festive retail boom with both brand new and tried-and-tested techniques

Container security emerges in IT products enterprises know and trust

Established IT security vendors add containers to their repertoire, and IT pros must decide between trusted platform integration ...

How can vulnerability scanning tools help with PCI DSS compliance?