PCI Internal Scanning
Section 11.2 of the PCI DSS v2 reads:
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
If you are a merchant with a credit card machine connected to the internet, you are required to pass internal scans of your network quarterly and when network devices change. This applies if you use your CELLULAR PHONE (computer with a radio) to do transactions via Square Up, PayPal, Intuit, etc… . You must be able to have proof of completed internal scans when you have your PCI audit. If you have a terminal that only gets approvals over POTS (plain old telephone service), this section doesn’t apply to you.
The goal of the internal scanning is to give you a robust, secure environment for your business transactions. Each of your computer systems will need firewall and antivirus software. The rules for your firewall should also be reviewed. Passwords should be strengthened and must not be the default provided by the manufacturer. Most difficult of all, ALL of the security patches for your operating system MUST be applied for EACH machine on your network.
To reduce the scope of the computers that must be scanned, you should have a business grade firewall segment your network to separate the credit card processing machines from the rest of the network. Ideally, you would have the machines running the credit cards on a separate internet connection and network from the rest of your computers. Unfortunately, this is a rather expensive solution and does not allow for integration of other systems with the transaction information.
iXxxxx devices should be secure unless you have jailbroken your device. You should install antivirus and firewall software. The same is true for android devices. Pick one of the many antivirus apps, install Mobiwol for your firewall app, and install X-ray to check your Android device for security vulnerabilities.
Your PCs connected to the network is a more complicated matter. First you need the updated antivirus and firewall software. Next an internal scan of your computer for security, PAN (primary account numbers) and PCI compliance must be done. The security scan will check for outdated and unpatched software. The PAN scan will check for credit card numbers stored on the computer. The PCI compliance scan goes through the checklist to verify compliance.
Once you have passed the scans, its time to fill out the checklist (if you can understand it).
Agape Information Technology can help you complete the internal scanning and PCI compliance checklist. We use a cloud based internal security scanning software service that provides us with unlimited scans on a per device basis, for a low annual fee. Bringing your systems into compliance will be billed at the standard hourly rates, and we will fill out the compliance checklist for you to review and submit.
Give us a call and we can get together to talk about what you need to do.