Blog
Delap advisors can help you achieve your business goals. Learn How
Delap advisors can help you achieve your business goals. Learn How
The Payment Card Industry Data Security Standard (PCI DSS) is a cornerstone for organizations that handle cardholder data. As technology and cyber threats advance, security standards must also evolve. Succeeding PCI DSS version 3.2.1, the upcoming PCI DSS version 4.0 is set to introduce changes that organizations must be prepared for, and several requirements must be in place as early as March 31, 2024.
One impactful new requirement in PCI DSS v4.0 is the requirement for authenticated vulnerability scans.
In PCI DSS v3.2.1, merchants and service providers are required to perform quarterly internal vulnerability scans. To do so, organizations have been using vulnerability scanning tools that are typically configured to perform unauthenticated scans of their internal environments.
With PCI DSS v4.0, those vulnerability scans must now be authenticated vulnerability scans. Going forward, all scans must be performed by a scanning solution that has the appropriate credentials enabling it to log into the network resources and system components within the environment being scanned. This will allow the vulnerability scanning tools deeper insight into a network, enabling them to discover vulnerabilities that unauthenticated scans would be unable to identify.
Let's delve into what authenticated vulnerability scans entail and the real-world implications of this new requirement for your business. We've put together some tips to help you prepare for the upcoming requirement and to best reap the benefits of authenticated scans within your cardholder data environment (CDE). The more you know, the better you'll be able to secure your environment.
One note before we dive in: The exact mechanism of how you perform authenticated scanning is highly dependent on the tools being utilized, the vendors that support them, and the technologies implemented within the CDE. Authenticated vulnerability scans could be achieved via appliance-based solutions, agent-based solutions or, in all likelihood, a combination of both. In this blog post, please note that we intend to provide high-level recommendations that are product "agnostic." It is important to understand your scanning mechanisms and to work with their vendors to ensure that authenticated scans are properly configured.
When it comes to preparation, it's best to start now. March 31, 2024, is just around the corner!
Engage your Approved Scanning Vendor (ASV) or a qualified employee that has organizational independence. Ensure that they have access to a vulnerability scanning tool that supports authenticated scanning. Given the increased depth of these scans, they may need additional tools, configurations, or techniques to compliantly scan your CDE. Entities should ensure that they are collaborating closely with the system owners of the various CDE systems to ensure that the appropriate scan and system configurations are in place to perform successful authenticated scans.
It is important for your organization to assess the various in-scope networks and systems within its CDE to validate which can and cannot support authenticated scanning. Systems that cannot support authenticated scanning must be identified and documented per Requirement 11.3.1.2.
Ensure that all scan solution system accounts are configured and managed compliantly. Be aware that privileged accounts are normally needed in order to perform authenticated vulnerability scans. We highly recommend working with your scan solution vendor to determine the minimum necessary privileges required for successful authenticated scans on the various systems within your CDE. All scan-related accounts still need to be configured using the principle of least privilege!
Consider scanning tools that support the use of a key vault or PAM solution (Privileged Access Management) to assist your organization in securely managing scanning-related account credentials across a variety of systems. These tools can help implement controls such as allowing you to only enable the scanning accounts while the scan is running and then immediately disabling them once complete. They can also ease the implementation of other credential-related PCI DSS requirements such as prohibiting shared or generic accounts and the appropriate management of system/service accounts.
Consider having your team increase the scanning frequency from the minimum required cadence of once per quarter. A more frequent cadence of once per month or more may be helpful during implementation until you have gained confidence that the authenticated scanning solution is working across all in-scope systems and networks. A more frequent cadence will give you more time to identify and resolve any issues with the authenticated scans and help you achieve a compliant successful scan in each quarter.
It's imperative to understand that authenticated vulnerability scans can often be much more time-consuming to complete than unauthenticated scans. It is reasonable to expect that the authenticated scans can take up to two or three times longer than you might be used to.
Keep this in mind while coordinating with CDE system owners to schedule the first initial authenticated scans. During your organization's implementation of authenticated scanning, it may be a good idea to have more resources available to respond should any issue arise within the CDE resulting from the updated scans.
An approach many organizations take is to roll the implementation of authenticated scanning out gradually across production environments. This approach minimizes the risk of significant impact to the production CDE and helps administrators pinpoint areas that need to be addressed.
If you don't already have one, work with your team to prepare your company's vulnerability risk ranking. See Requirement 6.3.1 in the PCI Data Security Standard. This will be needed for the results of the scan so that your team will be able to prioritize any vulnerabilities that may need to be remediated.
As with any significant scanning, we highly recommend that all CDE network and system owners are aware when the initial authenticated scanning is scheduled to be performed.
During the initial authenticated vulnerability scan, there will likely be a few (hopefully minor) hiccups. These will likely revolve around scan account authentication, credentials, and successful scan coverage. Ensure that the scanning tool utilized supports event logging and that they are enabled. These logs will help your team identify where the initial scan may have failed and the remediation action necessary to resolve any issues.
Once your initial authenticated vulnerability scan is completed, it is time to analyze the results.
To aid in establishing a more accurate estimate of the time necessary to complete a future scan, we recommend that the beginning and end times of the initial scan are noted. As the kinks are worked out of your authenticated scanning implementation, you will gain a more accurate understanding of the time needed to complete authenticated scanning across your CDE.
Before you dive into the scan's vulnerability findings, we recommend that organizations instead focus on reviewing the scan's event logs. It is expected that the first initial scan will identify systems and devices that the scan tool could not authenticate to. The logs from the initial scan will help identify the CDE systems where your teams may need to remediate issues to facilitate a successful scan. It would be a very helpful step to compare your CDE system inventory with the reported systems in the completed scan report. This will help continue to narrow down any systems or devices that are not successfully being scanned within the CDE.
Once your scans have been tuned to achieve total coverage of your CDE, it is time to dig into the scan findings. Good news! From this point forward, your organization's vulnerability management process shouldn’t be too different than what you were previously doing with unauthenticated scans.
Prioritize the remediation of discovered vulnerabilities according to your organization's risk ranking, remediate them, and then be sure to perform re-scanning in order to validate that the vulnerabilities were effectively remediated.
We are so pleased that you're preparing early for PCI DSS v4.0 compliance! Your proactive approach today will determine the resilience of your security infrastructure tomorrow. As we continue to explore the nuances of PCI DSS v4.0 in our blog series, our primary aim is to empower and guide you at every step. Together, let's champion a future where every payment card transaction is secure and every vulnerability is addressed.
Do you have questions, or are you in need of strategic insights? Give us a call at 503-697-4118 and ask for Spencer, David, or Debra, or reach out online.