Service Desk
01603 554000
Office Hours
Weekdays 8:30am to 4:30pm

PCI Compliance Checks & Network Vulnerability Scanning

HomePCI Compliance Checks & Network Vulnerability Scanning
1 August 2022

What is PCI Compliance?

When your business is PCI Compliant, it means that your business adheres to certain standards laid down in the Payment Card Industry Data Security Standard – or PCI DSS. This standard has been developed and published by the five major credit card companies VISA, MasterCard, American Express, Discover, and JCB. Assuming the standard is adhered to, you can be pretty sure that when you or your staff take a card payment, the risks of having cardholder data lost or compromised are mitigated. [ See https://www.pcisecuritystandards.org/ ]

Does my business need to be PCI Compliant?

If you take card payments then you can be pretty sure you are obliged to adhere to this standard. Failing to meet the standard can result in increased card transaction fees, fines, or withdrawal of your ability to take card payments. If you have Cyber Insurance it is possible that you would not be insured against certain losses if you are not found to be maintaining standards such as the PCI DSS.

How does my business become PCI Compliant?

If you wish to become PCI Compliant then you simply need to adhere to the standards – but this is not a simple box ticking exercise. To prove your PCI Compliance you’ll have to first implement standards as the foundation of a secure system – only then can those boxes in the self-assessment questionnaire (SAQ) be ticked. PCI Compliance is further evidenced with adequate results on a vulnerability scan.

Our card processing company has sent me a questionnaire – what should I do?

If you are facing a request to prove your PCI Compliance then you’ll typically need to run a vulnerability scan and go through a checklist of standards by answering a questionnaire. It’s best to start out by checking the network is secure from attacks outside the network and then monitoring and maintaining high standards of security inside the network. If you are one of our customers our advice is to take up our vulnerability scanning service and send us a copy of the questionnaire. You do not have to use our scanning service but it is likely to save you money in the long run for the reasons described a few paragraphs below.

Are you taking network vulnerability scanning seriously?

Over the last few years the number of customers that are taking network vulnerability scans seriously has increased dramatically. We have always encouraged good security practices, but quite often the recommendations we make get lost in the mass of emails that our small business customers often have to deal with on a daily basis.

Network vulnerability scanning is a key tool in checking that you are PCI Compliant. Let us take away the pain, provide peace of mind, and run vulnerability scans from outside your network for just £59 per year plus a one off setup fee.

Vulnerability scans are an important part of the PCI Compliance landscape.

Vulnerability scanning is an important part of the PCI Compliance landscape. Quite often our customers will approach us to discuss their PCI Compliance status only when they receive a request for information from their credit card processor. This usually ends up with us behaving as the mediator between the customer and whichever organisation has asked for information about your PCI Compliance situation which typically includes a vulnerability scan from the outside of your network. Even if you do not need to be PCI Compliant, vulnerability scans are an important part of pro-active network security checks.

We can offer you a more cost effective and time effective strategy.

This approach – where the IT support provider is simply mediating between the small business and the card provider – is neither cost effective or time effective. It is far more efficient to have the IT support provider run the vulnerability scan themselves. In this way, any vulnerabilities can be addressed quickly and without the expense of time consuming and often delayed communications between the card processor and customer going via the IT provider. Assuming your vulnerability scans come back clean, we can provide you with a certificate of health, produced by our Approved Scanning Vendor partner, that your card processor should be able to accept as evidence in support of PCI compliance and good network security.

What’s included?

Our low-cost Network Vulnerability Scanning Subscription includes all of these benefits:

  • We’ll schedule a quarterly vulnerability scan of a one IP address per subscription (some customers may need one subscription per site).
  • The vulnerability scan will inspect your network from the outside world, testing to see if it can penetrate your perimeter firewall.
  • If your router supports the feature we will ‘whitelist’ the scanning systems to ensure the scans can fully complete.
  • Over 30,000 individual vulnerability tests could be run if your systems are very exposed.
  • Once a vulnerability scan is complete we’ll inspect the full scan report and send you a copy too.
  • The report will include a thorough technical explanation of what scans were performed and what vulnerabilities were detected, if any.
  • We’ll add a non-technical explanation as to how any failures can be resolved, quoting any anticipated costs.
  • If we make any changes that could change the scan results (for better or worse) then we’ll rerun the vulnerability scan at no extra cost.

How much does it cost?

We charge a setup fee of £40 plus £59 per year for the service. In the interests of clarity, this means £99 for the first year and then £59 for each subsequent year. Should you choose not to renew the service your systems would no longer be tested for vulnerabilities buy this system and so reinstating the service would once again attract the setup fee.

The Small Print

A few points to mention before you agree to this service:

  • The service must be paid for in full before your first vulnerability scan is run.
  • The service can be run against fixed IP addresses (such as the one you get from your ISP).
  • In the absence of a fixed IP address we can scan against a DNS name that resolves to a dynamic IP address.
  • If you move to a new premises or change your internet connection we will probably need to update our vulnerability scanning systems, there is no charge for this.
  • A vulnerability scan that detects vulnerabilities is likely to mean you are not PCI Compliant.
  • A vulnerability scan that detects no vulnerabilities is only part of the PCI Compliance landscape. It will in and of itself not mean you are PCI Compliant.
  • Any work required to mitigate vulnerabilities could be chargeable – but we will always let you know the likely costs are first.
  • We will not run vulnerability scans on any network that is not owned by your business.