My company is looking at products to help with PCI DSS compliance. How do vulnerability scanning tools like Tenable's Nessus Cloud help enterprises achieve compliance? What PCI DSS requirements do they fulfill?
Nessus Cloud is one example of a vulnerability scanning vendor that offers external scanning services as a PCI DSS Approved Scanning Vendor. These vendors perform network-based vulnerability scans of card processing environments from their data centers without any special VPN connection. This provides scan results with an attacker's eye view of an organization's network from the internet.
The full text of the requirement for vulnerability scanning tools reads:
11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
While your company may meet the other internal scanning requirements of PCI DSS by using its own vulnerability scanning tools, this requirement clearly indicates that your company must use an outside vendor to perform the scans to fulfill this requirement. If your company is already using an internal scanning system that provides external scanning services, such as Nessus or Qualys, it may benefit from using the same vendor's service for external scans. This provides the operational efficiency of a single scanning platform and potential cost savings from bundling services together.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Discover the seven criteria for buying vulnerability management tools
Learn how to use the open source vulnerability scanning tool, TripWire SecureScan
Find out how to use free web app security scanning tools to bolster security
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading