How Does A PCI Scan Work?

Have you been asked to have PCI scanning performed? Don’t be surprised, because a PCI DSS vulnerability scan is required for many merchants and service providers. PCI scanning has been around for over a decade and more and more financial institutions are catching up with the compliance requirement.

But how exactly does a PCI scan work? You might wonder, will someone need to come onsite to my business location to perform scans? Actually, PCI ASV scans are conducted entirely over the Internet. This is a remote service that targets your IP address and any web application URLs you need to have scanned as well. The scan will attempt to identify any vulnerabilities present on your systems.

The Technical Details

In more technical terms, a scanning server reaches out to your target IP and starts by looking for any open ports. Ports are sort of like doorways on your computer systems that can be open or closed. There are over 65,000 TCP ports could be open or listening on your devices and each one should be tested for vulnerabilities. PCI scans are also required to look at another range of common ports, referred to as UDP. Once an open port is discovered, the PCI scanner will dig deeper to learn more. The scanner will send special types of data to the open ports and then analyze the information that is returned. What kind of knowledge can be gathered in this way? Often this knowledge includes the specific service that is running on the port and the software version. In many cases, the operating system running on the device can be ascertained.. This phase of scanning is called fingerprinting. With this information collected, the scanner will compare the results with a database of known flaws and vulnerabilities. If your scan targets seem to be vulnerable, these concerns will be noted on your report. The severity of any reported vulnerabilities will usually be categorized by referring to the Common Vulnerability Scoring System (CVSS).

PCI scans go further than just looking for out-of-date software versions and operating systems. A scan will seek to identify flaws that are not based solely on version numbers. What other types of vulnerabilities would this include? A PCI scan should be able to detect built-in, or default accounts and passwords. A robust PCI scanning tool will also thoroughly check web applications for the presence of cross-site scripting (XSS) flaws as well as unvalidated parameters that could lead to SQL injection attacks. Additionally, there are many other types of vulnerabilities that a PCI scan will carefully seek to identify.

With all the potential vulnerabilities that need to be investigated on your systems, you might wonder, will a PCI scan slow down my network or cause disruption to my business? You shouldn’t be overly concerned about this. PCI scans are designed to be non-disruptive and should not interfere with normal business operations.