Open Source Subnet An independent Open Source community View more

PCI internal scan and risk management requirements met by iScan Online

New regulations challenge merchants on vulnerability management.

Last June, the PCI Council substantially upped the ante on merchants who use the Internet to store or transmit credit card data. Prior to June merchants who used the Internet (or a public network in the words of the Council), had to have a quarterly external ASV scan. For many smaller merchants this was no more than having an Approved Scanning Vendor (ASV) scan to the router or gateway quarterly. If there was a firewall set up, most times the external scan never got beyond that gateway. It was required but really didn't necessitate a major change by the merchant.

But all that changed in June with PCI DSS 11.2.1/11.2.3 and 6.2. Now merchants must also perform a quarterly internal scan, as well as scan when any "significant changes" are made. It also now requires merchants to more seriously adhere to 6.2, which is about risk management. Merchants must prioritize vulnerabilities, may not have any critical vulnerabilities as well as have a plan in place to prioritize and remediate found vulnerabilities. Frankly, my experience with smaller merchants is that this is beyond their capability and represents a real game changer. Many merchants I have dealt with have found it easier to move away from Internet-connected POS and back to POTS (plain old telephone system) terminals to avoid the whole scanning requirement altogether. Setting up internal scans with scanners on-premise, remediation, network segmentation, and vulnerability management is just too hard for them.

To the rescue of these merchants two friends of mine from the security industry have started a new company which can help. iScanonline is a cloud-based service that allows you to perform internal scans any time you like. You can run the reports and get the information and instructions to allow you to comply with these new PCI DSS requirements. It is as painless a solution as I have seen yet.

iScan Online is the brainchild of Billy Austin and Carl Banzhoff. Both of these guys have long histories in the security and vulnerability management space. Billy is the former CTO/CSO of SAINT Corp., makers of the Web Saint vulnerability and pen testing solution. Carl is the former CTO at Citadel Software, makers of the Hercules patching and compliance solution which was acquired by McAfee. Carl then held various roles at McAfee before leaving a few years back to go build something new again. I have had the pleasure of working with both of these guys as partners in the past and am very happy to see them back in the VM space.

What Carl and Billy have come up with is the ability to push down an agent (call it software, agent-less or whatever) on a machine which performs the internal scan. It then sends the data up to iScanOnline's cloud-based, secured servers. Scans can be performed as often as you like. The data collected is then analyzed and reports are generated showing vulnerabilities, suggested remediation and compliance status. Everything a merchant needs to comply with the PCI requirements, as well as making the merchant more secure.

Priced at just about $50 per machine scanned, it is within the budget of many smaller merchants that don't have $5k or $10k to shell out for a full-blown, traditional vulnerability/risk management solution. Ease of use and affordability is just what this market requires. Since most POS systems are Internet connected, this is a really important service for merchants.

Of course, iScanOnline is not alone in offering PCI scanning services. My friends at companies like Qualys, Rapid 7, nCircle, Alert Logic and Tenable Security, to name a few, all offer PCI scanning, both internal and external (BTW, the CEO/CTO's of all of these companies are on a panel on IPv6 and vulnerability management with me at RSA Conference in Feb.). But iScanOnline is taking a different approach that I think really helps the millions of level-4 merchants who otherwise could not afford, let alone manage, a traditional vulnerability and risk solution.

If you get a chance you can check out iScanOnline for yourself. If PCI internal scanning is a challenge for you, this may be just what Santa brings you for Christmas.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies