Announcement

Collapse
No announcement yet.

PCI DSS 4.0 External Compliance Scan

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    PCI DSS 4.0 External Compliance Scan

    Please could I ask for some advice?

    Under PCI DSS v3.2.1 I've been completing a Level 4 SAQ, which does not require an external compliance scan of my network because all card data is collected, processed and stored by a third party. Yesterday I discovered that under the new PCI DSS v4.0, external scanning will now be a requirement for Level 4 retailers - please correct me if I'm wrong, I'd like to be!

    ClearAccept are introducing a mandatory, chargeable PCI compliance portal from 1st June (better late than never), but they are not providing a scanning service. I'm therefore looking for an Approved Scanning Vendor (ASV) that can provide a quarterly scan as cheaply as possible.

    Does anybody already use an ASV that they can recommend?

    I'd also like to understand what a scan actually entails, e.g. how it is initiated and how intrusive it is. Any wisdom would be appreciated!

    Thank you,
    John

    EDIT 01/06/24: Actually, the ClearAccept portal (provided by Worldline Payment Guard) DOES include a scanning service - although ClearAccept's FAQs do a very good job of implying otherwise!
    John Ennals
    www.tortoys.co.uk

    #2
    I used security metrics for many years for quarterly scans, it was pretty straightforward and they were helpful answering questions.
    https://www.harrisontelescopes.co.uk/

    Ed Harrison - Menmuir Scotland

    Comment


      #3
      Thanks Ed!
      John Ennals
      www.tortoys.co.uk

      Comment


        #4
        We use Security Metrics and complete PCI DSS V3.2.1 Self-Assessment Questionnaire A and C-VT applicable for Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced; and Merchants with Web-Based Virtual Payment Terminal - No Electronic Cardholder Data Storage.

        I contacted Security Metrics today and they advised that there is presently no mandated requirement for external vulnerability scans for Merchants meeting SAQ A and C-VT criteria for assessment.

        PCI DSS V3.2.1 is being superseded by V4.0 on 31 March 2024 and there are some significant new requirements some of which including external vulnerability scans for Merchants meeting the above criteria that can be considered as best practice until 31 March 2025.
        Martin
        Mantra Audio

        Comment


          #5
          Thanks Martin, that's useful. There seems to be a lot of conflicting information out there, much of it from people trying to sell their services.

          John
          John Ennals
          www.tortoys.co.uk

          Comment


            #6
            There is a Summary of Changes from PCI DSS Version 3.2.1 to 4.0 document available from the PCI Security Standards Council - see link below:
            https://www.pcisecuritystandards.org/document_library/

            You will need to register to download documents available.

            I am finding this useful to compare emerging changes to requirements detailed on a copy of our PCI DSS 3.2.1 SAQ that need to be considered for PCI DSS 4.0.
            Martin
            Mantra Audio

            Comment


              #7
              I signed up for a free trial of HackerGuardian which is on the PCI Security Standards Council ASV list. Problem is, I don't really know what I'm supposed to be scanning, or how.

              I did a scan of my own network's external IP address, and HackerGuardian couldn't even find my computer, even with the firewall disabled. Then I did a DNS scan of my website address, and it came back with 26 serious or moderate fails, none of which I understand or have the means to fix. Perhaps these are all false positives or out of scope? Who knows?

              No ClearAccept helpline available until 1st June, and I'm not expecting any wisdom from Sellerdeck about PCI DSS 4.0 any time soon.

              Sometimes I think if I just closed the website down and threw all my stock into the nearest skip, I'd be a much happier person.
              John Ennals
              www.tortoys.co.uk

              Comment


                #8
                I sympathise John, maybe it's my age but the hoops we need to jump through are way out of proportion to the reality of our modest simple business models.
                https://www.harrisontelescopes.co.uk/

                Ed Harrison - Menmuir Scotland

                Comment


                  #9
                  Martin/all,

                  I contacted Security Metrics today and they advised that there is presently no mandated requirement for external vulnerability scans for Merchants meeting SAQ A and C-VT criteria for assessment.

                  PCI DSS V3.2.1 is being superseded by V4.0 on 31 March 2024 and there are some significant new requirements some of which including external vulnerability scans for Merchants meeting the above criteria that can be considered as best practice until 31 March 2025.
                  There's a Security Metrics blog here which appears to contradict this: https://www.securitymetrics.com/blog...40-saq-changes. The salient bit is:

                  Because version 4.0 has a couple of new requirements, like requirements 6.4.3 and 11.6.1, and those requirements are specifically designed to protect either the i-frame from being tampered with, or designed to prevent third-party code that's being included in your page from causing security issues on the website.

                  For these new requirements, you have until 2025 before they need to be in place.

                  But when they take an existing requirement, like the ASV scan, as soon as version 3.2.1 is retired (i.e., March 2024), you can no longer do SAQ A version 3.2.1, and this requirement needs to be in place right then. If you don't already have ASV scans, SecurityMetrics can help out with this requirement.
                  So it appears that for SAQ A, scans become mandatory from April 1st (tomorrow at the time of writing).

                  Further new requirements will become mandatory in April 2025, most of which I don't understand or have the resources or knowledge to address.

                  Another thing I can't understand is why, as far as I know, Sellerdeck have not provided any warning or information about PCI DSS V4.0 despite the standard having been in existence for 2 years. The first I knew about it was when I received the email from ClearAccept on 28th March about their new SAQ portal. There's been nothing from Sellerdeck on this forum about PCI DSS compliance since 2010 as far as I can see.
                  John Ennals
                  www.tortoys.co.uk

                  Comment


                    #10
                    For an easy life I will just let security metrics deal with it.
                    https://www.harrisontelescopes.co.uk/

                    Ed Harrison - Menmuir Scotland

                    Comment


                      #11
                      Have to agree with John, it looks like a bit of a nightmare. The blog post from Security metrics was informative, thank you. I was also surprised by the email from ClearAccept. Especially as in discussions when joining with them then I found it difficult to get a definitive answer on pci-dss. I would have appreciated some advance notice from Sellerdeck on some aspect of this.

                      Comment


                        #12
                        John/all

                        The table in the link below sets out the PCI DSS SAQ 3.2.1 Types
                        https://info.securitymetrics.com/pci-saq-types

                        Originally posted by John Ennals View Post
                        So it appears that for SAQ A, scans become mandatory from April 1st (tomorrow at the time of writing).
                        I am relying on The New Future-Dated Requirements part of the blog that include requirements 6.4.3 and 11.6.1:
                        In addition to the above-mentioned existing PCI DSS requirements, a few requirements new to PCI DSS version 4.0 have been added to the SAQ A. Merchants performing a self-assessment using a version 4.0 SAQ are not required to validate these future-dated requirements until March 31, 2025.
                        I read this to imply that scans will not be a mandatory requirement until March 31, 2025 although it may be advisable to implement before the deadline allowing some time to resolve emerging issues.

                        It also appears that requirements 6.4.3 and 11.6.1 would not apply to SAQ A merchants who make use of a third-party iframe to perform payment capture so if the merchant’s website is configured to redirect the customer’s browser to the TPSP’s payment acceptance page, they would mark these requirements as Not Applicable.

                        So Opayo/Elavon may still be an option worth considering if ClearAccept do not offer a TPSP payment acceptance portal that is compliant with the requirements of 6.4.3 and 11.6.1 under their own (ClearAccept) Attestation of Compliance!!
                        Martin
                        Mantra Audio

                        Comment


                          #13
                          Martin,

                          Thank you for responding.

                          Originally posted by Mantra View Post
                          The table in the link below sets out the PCI DSS SAQ 3.2.1 Types
                          This table refers to PCI DSS V3.2.1 which I understand was finally retired at the end of March, and replaced by PCS DSS V4.0. The SAQ requirements for V4.0 are different.

                          I think the point Security Metrics are making, quoted in post #9 above, is that the ASV scan is NOT a future-dated requirement. It is an existing requirement that is simply being extended to SAQ A.

                          So Opayo/Elavon may still be an option worth considering
                          Opayo/Elavon has been removed from Sellerdeck Desktop 18.2.3 onwards, along with all other "legacy" payment methods, so it would only be an option if staying at (or rolling back to) SD 18.2.2 and remaining there forever. This is one option I have been considering.

                          Sellerdeck/ClearAccept have effectively onboarded as many of us as possible, then pulled up the gangplank before telling us that under new maritime laws, which have been around for ages but they didn't tell us about, we've got to maintain the ship ourselves and pay extra for the privilege.
                          John Ennals
                          www.tortoys.co.uk

                          Comment


                            #14
                            Thank you all for the informative input on this. I also received the emails and was not aware of it and it has blown my mind.
                            I haven't the time to start messing / sorting all of this, which as you say, we were not made aware of. I never had any such issues with Paypal card processing which I was forced to leave.
                            Jeff Nurse
                            Managing Director

                            Aerofoil Design
                            Office Design & Furniture Solutions
                            www.aerofoil.net

                            Comment


                              #15
                              We are also in the same boat and also now considering dropping back to 18.2.2 where we can use Paypal cards again. So frustrating.

                              Comment

                              Working...
                              X