Introduction into vulnerability analysis and policy monitoring for the Payment Card Industry Data Security Standard (PCI DSS) with the Greenbone Security Manager.
Payment Card Industry Data Security Standard
The current state can be found in the Online Version of the GSM user manual at the TechDoc portal.
The PCI DSS is a security guideline for payment card transactions and is supported by the major payment systems MasterCard, Visa, AMEX, Discover and JCB.
All organizations that process card payments, store or transfer card data are required to perform compliance validation according to PCI DSS. Non-compliance or lack of validation means the risk of being fined or, ultimately, losing the ability to process payment cards.
The validation of compliance depends on the volume of card transactions. Here, service providers are usually classified as Level 1 Service Provider and they must, on a quarterly basis, validate their card data processing environment by an independent scanning vendor approved by the PCI Security Standards Council (PCI SSC). In addition, an annual on-site PCI Security Audit has to be performed by an independent Qualified Security Assessor (QSA), also approved by the PCI SSC.
The "Approved Scanning Vendor" (ASV) is a service provider who performs a vulnerability scan of the card data processing environment reachable from the internet. The vulnerability scanners themselves can thus not be classified or certified as ASVs. However, they are tools for the ASV to perform the vulnerability scan using the approved process.
Greenbone Security Manager and PCI DSS
According to PCI DSS (Version 2.0, Requirement 11.2) two types of vulnerability scans are to be executed quarterly and after significant changes to the card data processing environment. This includes the vulnerability scan conducted by the ASV explained above and an internal scan of the card data processing environment. This latter scan may be performed by employees of the payment processing company and requires no approval by the PCI SSC.
The Greenbone Security Manager (GSM) can perform both of these scans. The possibilities of the false positive management avoid significant work load of manual elimination of wrong alerts.
A dealer can use the GSM to check the security requirements prior to the ASV vulnerability scan in order to avoid costly re-scans.
This way, a dealer can use the GSM to continuously check for PCI compliance even between the scans performed by the ASV.
The security change is stored audit proof in the GSM. The proper security and compliance status can be verified for arbitrary times in between the quarterly ASV scans.
The escalation methods can inform the external auditor as well as internal experts continuously about the security status. Summaries are sent to the responsible persons.
In the same way as GSM checks the technical aspects of other policies periodically it can also check the system parameters according to the PCI DSS policy.
With a permanent background policy scan it is ensured that antivirus tools are not outdated or firewalls don't get deactivated without notice. Such parameters can be watched and be escalated in the same way as software vulnerabilities.
Advantages for the dealer:
- Permanent policy monitoring
- Flexible escalation
- "False Positive" management
- Internal and external vulnerability scanning
- Complete vulnerability analysis according to PCI DSS for internal scans
Advantages for the ASV
- "False Positive" Management
- Static scan configuration for re-scans
- Complete vulnerability analysis according to PCI DSS for external scans via internet
- Flexible reporting framework for individual scan reports
Greenbone Networks GmbH as the vendor of the GSM does not act as an ASV. But among Greenbone's business partners you will find security consultants that at the same time act as ASV and can introduce the GSM to your security process.