Last June, the PCI Council substantially upped the ante on merchants who use the Internet to store or transmit credit card data. Prior to June merchants who used the Internet (or a public network in the words of the Council), had to have a quarterly external ASV scan. For many smaller merchants this was no more than having an Approved Scanning Vendor (ASV) scan to the router or gateway quarterly. If there was a firewall set up, most times the external scan never got beyond that gateway. It was required but really didn't necessitate a major change by the merchant.
But all that changed in June with PCI DSS 11.2.1/11.2.3 and 6.2. Now merchants must also perform a quarterly internal scan, as well as scan when any "significant changes" are made. It also now requires merchants to more seriously adhere to 6.2, which is about risk management. Merchants must prioritize vulnerabilities, may not have any critical vulnerabilities as well as have a plan in place to prioritize and remediate found vulnerabilities. Frankly, my experience with smaller merchants is that this is beyond their capability and represents a real game changer. Many merchants I have dealt with have found it easier to move away from Internet-connected POS and back to POTS (plain old telephone system) terminals to avoid the whole scanning requirement altogether. Setting up internal scans with scanners on-premise, remediation, network segmentation, and vulnerability management is just too hard for them.
To the rescue of these merchants two friends of mine from the security industry have started a new company which can help. iScanonline is a cloud-based service that allows you to perform internal scans any time you like. You can run the reports and get the information and instructions to allow you to comply with these new PCI DSS requirements. It is as painless a solution as I have seen yet.
iScan Online is the brainchild of Billy Austin and Carl Banzhoff. Both of these guys have long histories in the security and vulnerability management space. Billy is the former CTO/CSO of SAINT Corp., makers of the Web Saint vulnerability and pen testing solution. Carl is the former CTO at Citadel Software, makers of the Hercules patching and compliance solution which was acquired by McAfee. Carl then held various roles at McAfee before leaving a few years back to go build something new again. I have had the pleasure of working with both of these guys as partners in the past and am very happy to see them back in the VM space.
What Carl and Billy have come up with is the ability to push down an agent (call it software, agent-less or whatever) on a machine which performs the internal scan. It then sends the data up to iScanOnline's cloud-based, secured servers. Scans can be performed as often as you like. The data collected is then analyzed and reports are generated showing vulnerabilities, suggested remediation and compliance status. Everything a merchant needs to comply with the PCI requirements, as well as making the merchant more secure.
Priced at just about $50 per machine scanned, it is within the budget of many smaller merchants that don't have $5k or $10k to shell out for a full-blown, traditional vulnerability/risk management solution. Ease of use and affordability is just what this market requires. Since most POS systems are Internet connected, this is a really important service for merchants.
Of course, iScanOnline is not alone in offering PCI scanning services. My friends at companies like Qualys, Rapid 7, nCircle, Alert Logic and Tenable Security, to name a few, all offer PCI scanning, both internal and external (BTW, the CEO/CTO's of all of these companies are on a panel on IPv6 and vulnerability management with me at RSA Conference in Feb.). But iScanOnline is taking a different approach that I think really helps the millions of level-4 merchants who otherwise could not afford, let alone manage, a traditional vulnerability and risk solution.
If you get a chance you can check out iScanOnline for yourself. If PCI internal scanning is a challenge for you, this may be just what Santa brings you for Christmas.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.