Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can vulnerability scanning tools help with PCI DSS compliance?

Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. Expert Mike Chapple explains.

My company is looking at products to help with PCI DSS compliance. How do vulnerability scanning tools like Tenable's Nessus Cloud help enterprises achieve compliance? What PCI DSS requirements do they fulfill?

Nessus Cloud is one example of a vulnerability scanning vendor that offers external scanning services as a PCI DSS Approved Scanning Vendor. These vendors perform network-based vulnerability scans of card processing environments from their data centers without any special VPN connection. This provides scan results with an attacker's eye view of an organization's network from the internet.

The full text of the requirement for vulnerability scanning tools reads:

11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

While your company may meet the other internal scanning requirements of PCI DSS by using its own vulnerability scanning tools, this requirement clearly indicates that your company must use an outside vendor to perform the scans to fulfill this requirement. If your company is already using an internal scanning system that provides external scanning services, such as Nessus or Qualys, it may benefit from using the same vendor's service for external scans. This provides the operational efficiency of a single scanning platform and potential cost savings from bundling services together.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover the seven criteria for buying vulnerability management tools

Learn how to use the open source vulnerability scanning tool, TripWire SecureScan

Find out how to use free web app security scanning tools to bolster security

This was last published in June 2016

Dig Deeper on PCI Data Security Standard