How can vulnerability scanning tools help with PCI DSS compliance?

My company is looking at products to help with PCI DSS compliance. How do vulnerability scanning tools like Tenable's...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Nessus Cloud help enterprises achieve compliance? What PCI DSS requirements do they fulfill?

Nessus Cloud is one example of a vulnerability scanning vendor that offers external scanning services as a PCI DSS Approved Scanning Vendor. These vendors perform network-based vulnerability scans of card processing environments from their data centers without any special VPN connection. This provides scan results with an attacker's eye view of an organization's network from the internet.

The full text of the requirement for vulnerability scanning tools reads:

11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

While your company may meet the other internal scanning requirements of PCI DSS by using its own vulnerability scanning tools, this requirement clearly indicates that your company must use an outside vendor to perform the scans to fulfill this requirement. If your company is already using an internal scanning system that provides external scanning services, such as Nessus or Qualys, it may benefit from using the same vendor's service for external scans. This provides the operational efficiency of a single scanning platform and potential cost savings from bundling services together.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover the seven criteria for buying vulnerability management tools

Learn how to use the open source vulnerability scanning tool, TripWire SecureScan

Find out how to use free web app security scanning tools to bolster security

Related Resources

The Need for Cloud Computing Security Standards –SearchSecurity.com
UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES –SearchSecurity.com
PCI in the cloud: Compliance guide –SearchSecurity.com
E-Book: Technical Guide on PCI –SearchSecurity.com

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Next Steps

Related Resources

Dig Deeper on PCI Data Security Standard

Related Q&A from Mike Chapple

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.