5 Essential Tips For Those New To A PCI Scan

PCI scan for weaknesses

Recently, we have started with a significant number of new clients on ASV scanning projects. This is the PCI scan on networks that needs to be performed by merchants and service providers.

Nothing new in that. We have been an ASV for over ten years.

What has caught our eye is what has prompted these customers to perform scans. Customers have called us asking for a single scan to get PCI compliant.

This is in response to written instructions from Acquirers.

In each case, we have spent time working with customers to confirm that regular scanning is what is needed. More importantly to reinforce that compliance is a great deal more than completing a single PCI scan.

If you are new to PCI, here are five important points to remember for customers starting PCI self-assessment.

1. Who needs to know?

Acquirers are obvious for Merchants. As discussed above, they will contact their Merchants to start the PCI discussion and the fact that something needs to be done. A PCI scan is one of their first requests for work.

But what about Service Providers? Normally, it will be their Merchant clients asking for PCI compliance. Those that use the payment services to support their own business operations. For a Merchant that does outsource, it can only be PCI compliant if the services it uses are assessed as PCI compliant.

So, understand who needs to see proof of PCI compliance. Not just the organisation, but the contact points as well.

2. What do you actually need to do?

In some cases you might receive no instruction or guidance.  In other cases, just generic advice that might not apply to how you actually handle payment card data. If this advice is a generic flyer, it can be confusing and can result in wasted time and money.

If your company handles card payments, it is highly likely that you are going to have to do something. What depends on how much operational responsibility you have for handling payment card data. For example, less so for companies outsourcing to third parties.

A good place to start is to go find the self-assessment questionnaires at the PCI standards council site here: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

Have a good read. Time well spent.

3. Small is beautiful…

Getting PCI compliant can be made easier by reducing what needs to assessed.

Understand where and how card payments are made. Reduce your responsibility in terms of removing stored payment card files that are not required. Isolate networks that handle card data using devices such as firewalls.

Make the payment network – the cardholder data environment – as small as you possibly can.  Less compliance burden. That can include a PCI scan on a much smaller area.

4. The Devil is in the detail

The PCI standard is pretty detailed and can cover a number of controls. Make sure that you have understood which is the right self-assessment questionnaire. Follow it carefully.

Treat it like tick-box exercise at your peril. Take your time on the requirements sections. If not in place, say so.

Blindly confirming all is in place (when it clearly is not) often covers cracks that are later found by hackers. This can lead to full scale data compromise and all the resulting costs and penalties.

5. Regular as clockwork

This brings us right back to the operating statements. PCI is not a one-off exercise. You will need to keep performing the right tasks as detailed in your self-assessment questionnaire. This includes the ASV scan on a quarterly basis.

Once a year, you will need to resubmit that self-assessment questionnaire. Each time confirming that it is the right document for how you take and manage payment card data.


To Summarise:

Understand who needs to know about your PCI compliance.

What you need to do to complete to confirm compliance.

Get your payment network and operations as tight and small as possible.

Don’t just tick the boxes. Recipe for disaster.

Keep going. PCI is an ongoing journey.


As I speak with people faced with PCI for the first time, I always try to impress why the PCI standard was developed.  To reduce risk and instances of fraud. Minimising opportunities for hackers to access and use card data. Avoiding data breaches that result in serious problems for compromised Merchants and Service Providers.

Keep this in mind as you work through PCI compliance. The standard has a very real and important place in today’s business world.


Related Posts:

Penetration Test Versus Vulnerability Scan

Blocking Your Penetration Tester is a Bad Idea

ASV Scan Responsibilities

PCI: Your eCommerce Web Sites Are In Scope

PCI Self Assessment Pack

PCI Penetration Testing

Leave a Reply