Does your business take bank card payments? If so, it should be performing a regular PCI scan to ensure data is secure.
PCI scanning is a network security check that forms part of a globally-recognised standard required for any organisations taking payments via bank or credit cards.
Why do I need to perform PCI scans?
Taking bank card payments requires the transmission of highly sensitive and valuable data. Should there be a weakness in your IT system setup, cyber criminals may be able to intercept this data without your knowledge. PCI scans aim to identify if there are areas of your IT systems that are potentially vulnerable.
The requirement for PCI scanning is outlined by point 11.2 of the Payment Card Industry Data Security Standard (PCI DSS) and forms a part of the compliance with the PCI standard.
The PCI standard is not a legal requirement. However, organisations taking payments via card that fail to observe it leave themselves exposed. If a data breach occurs at your organisation relating to payment details, your bank will be fined by the PCI Security Standards Council. If your organisation has not complied with the PCI standard, the bank can pass that fine on to you.
Alternatively, your bank may deem your organisation to be a risk to customer data and terminate your business account. This may in turn have a knock-on effect to the credit status of your organisation and your ability to trade.
When do I need to perform PCI scanning?
According to the PCI DSS, organisations operating or providing Position of Sale or merchant services must “run internal and external network vulnerability scans at least quarterly and after any significant change in the network”. So scans should be taking place regularly.
Scans will look for weaknesses in your IT systems setup as well as any online presence you may have.
Should a weakness is found as part of a scan, it will need to be fixed. Scanning is repeated until a scan passes.
How Akita can help
PCI scans must be performed by a third-party Approved Scanning Vendor (ASV). Akita works with Qualys to conduct scans, meaning that we can perform scans both for independent companies and those where we support or host their IT infrastructure and remain compliant with the PCI DSS.
Our process for PCI scanning is as follows:
- Scoping of your infrastructure
- Performing PCI scan
- Reporting on results, including details of weaknesses and recommended changes and fixes
- Remedying network weaknesses (conducted at the organisation’s request)
- Rescan and repeat the process
When a passing scan is completed, a certificate will be created.
To discuss PCI scanning options for your organisation, please get in touch.
Other services Contact us