Payment Card Industry (PCI) Compliance
SAINT has successfully completed the PCI Scanning Vendor Compliance Testing and can therefore be used for your quarterly PCI scanning. PCI compliance requires BOTH vulnerability assessment and penetration testing. SAINT provides integrated vulnerability assessment and penetration testing, making it the ideal solution for PCI DSS version 1.2 compliance.
SAINT's vulnerability assessment reports let you see at a glance whether your network is compliant with PCI Security Standards Council requirements.
About PCI
The PCI Security Standards Council was developed by the five major credit card brands (MasterCard, VISA, American Express, Discover, and JCB) to help merchants safeguard electronic data from security breaches and to ensure the proper handling and protection of cardholder account and transaction information.
The vulnerability scanning and penetration testing requirements are found in requirement 11 (see table below)—Regularly test security systems and processes. As stated by PCI Security Standards Council, "Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software."
PCI requires BOTH vulnerability assessment and penetration testing (Note: penetration testing is different than the internal and external vulnerability assessments required by PCI)
- 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Note: Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company’s internal staff.
- 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
- 11.3.1 Network-layer penetration tests
- 11.3.2 Application-layer penetration tests
SAINT provides support to customers and ASVs in support of PCI DSS, v1.2, Section 2.2 that requires assessment of configuration standards of system components, using industry-accepted system hardening standards. SAINT provides support for configurations defined in the National Institute of Standards and Technology (NIST).
SAINT includes authentication functionality for assessing Web Application vulnerabilities as required in the PCI Requirement 6.6 and 6.5. SAINT also allows you to customize the spidering of URLs and the depth of trailing directories that should always be assessed.
- 6.5 Verify that processes are in place to ensure that Web applications are not vulnerable to the following:
- OWASP Top 10 vulnerability Web application vulnerabilities
- 6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing a Web-application firewall in front of public-facing Web applications
SAINT also provides support to customers and ASVs in support of PCI DSS, Requirement 5, as it relates to checking for the use and updating of anti-virus software. This capability is provided for many of today’s most popular AV products, and is specifically targeted at the following requirements:
- 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)
- Identify if anti-virus software is present
- 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
- Anti-virus definitions are up-to-date; anti-virus is actively running; identify the last scan date.
| Build and Maintain a Secure Network | 1 | Install and maintain a firewall configuration to protect cardholder data |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3 | Protect stored cardholder data |
| 4 | Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5 | Use and regularly update anti-virus software |
| 6 | Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7 | Restrict access to cardholder data by business need-to-know |
| 8 | Assign a unique ID to each person with computer access | |
| 9 | Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10 | Track and monitor all access to network resources and cardholder data |
| 11 | Regularly test security systems and processes | |
| Maintain an Info. Security Policy | 12 | Maintain a policy that addresses information security |