PCI Data Security Standard



Any organization that stores, processes or transmits payment cardholder data is required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This industry-lead global standard specifies an array of technologies and practices required to protect cardholder data. Compliance also entails passing an annual security audit and quarterly network scan. This page provides background information about PCI DSS, why it is important to your organization, key areas for consideration in a compliance program, and describes how solutions from Qualys help your organization to be compliant.



About the PCI Standard

The primary goal of the PCI Data Security Standard is protecting cardholder data. In-scope data includes the primary account number (PAN) and sensitive authentication data printed on or stored in a magnetic stripe or chip on the credit or debit card.


The PCI DSS is managed by the PCI Security Standards Council. Card brands incorporate the PCI DSS as part of the technical requirement for each of their data security compliance programs. They also acknowledge Qualified Security Assessors and Approved Scanning Vendors qualified by the Council to assess compliance with the PCI DSS. Your organization's card brand or acquirer may specify other requirements.



Why the PCI Standard Matters to Your Organization

It is important to protect cardholders from fallout of a data breach. Organizations will also have self-interest at heart because penalties for non-compliance can be substantial. An organization could be barred from processing payment card transactions. Higher processing fees could be assessed. And for a serious breach, fines of up to $500,000 can be levied for each instance of non-compliance. Other costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.



Considerations for a PCI DSS Compliance Program

Compliance with PCI DSS can be challenging due to the broad scope of the standard. PCI DSS really is a security framework for protecting cardholder data. The foundation is six goals and 12 requirements, which in turn provide related details of many controls and processes necessary for compliance.


Your organization's compliance program should address two issues: (1) selecting and deploying controls that meet PCI DSS requirements, and (2) providing a way to regularly audit the status of those controls to ensure continuous protection of cardholder data and ongoing compliance. Providing your card brand or acquirer with audit-quality documentation of these steps is required for compliance.



How Qualys Solutions Help Businesses Meet PCI DSS Requirements


Qualys solutions directly fulfill the standard's requirements for quarterly scanning of vulnerabilities on wired and wireless networks and in web applications. Qualys solutions also serve as a "control of controls," which means they are the crucial means for auditing a multitude of other security controls to ensure that those are operational and properly configured.


Qualys solutions touch nine of the standard's 12 requirements. Following is a summary of how three classes of requirements are met by Qualys solutions. For a detailed explanation requirement-by-requirement, see QualysGuard Coverage of PCI DSS Requirements.


Requirements Met by Qualys
Provide Network and Application Scanning

A vital component of a PCI compliance program is regular (at least quarterly) vulnerability scans of the network and web applications by an Approved Scanning Vendor (ASV). PCI DSS requires internal and external scanning of both wired and wireless networks. It also requires scanning after any significant change in the infrastructure (see Req. 11.1 and 11.2). In order to identify newly-discovered vulnerabilities, 6.2 requires that the solution be constantly updated with the latest vulnerability signatures. Req. 6.6 specifies organizations to review public-facing web applications at least annually and after any changes.


Qualys is an Approved Scanning Vendor (ASV). The QualysGuard PCI solution provides unlimited scanning of networks and applications for vulnerabilities. It identifies all vulnerabilities from the most comprehensive knowledgebase of vulnerabilities in the security industry — and tells you how to fix them. Reports provide granular documentation of vulnerability remediation and auto-integrate with an on-line PCI "Self-Assessment Questionnaire." The solution auto-submits your organization's PCI DSS audit documentation and compliance status directly to the acquiring bank. QualysGuard PCI also connects merchants with other technology solutions to automate the collection of data needed for validation of PCI DSS compliance.

Verify Use of Required Security Controls

The deployment of PCI DSS controls will not help protect cardholder data if they are not operational. QualysGuard IT security and compliance management solutions provide businesses with audit reports that verify the presence of a multitude of required PCI DSS controls, such as:

  • Verify presence of firewalls on servers, desktops, and laptops remotely (1.4)
  • Verify vendor defaults are not used, including wireless access points (2.1, 2.1.1)
  • Verify compliance with PCI DSS configuration standards (2.2)
  • Verify that encrypted protocols are used, and unencrypted communication is disabled (2.3)
  • Verify that encryption is used on in-scope systems and that encryption keys are protected (3.4, 3.5)
  • Verify use of strong cryptographic protocols, including wireless access points (4.1, 4.1.1)
  • Verify use of anti-virus software on in-scope systems (5.2)
Discover Improper Control Configurations

The PCI DSS also requires that deployed controls be properly configured to make them as effective as possible. QualysGuard IT security and compliance management solutions can discover a variety of improper configurations, such as:

  • Discover all vulnerable systems on the network (2.2.2)
  • Discover some insecure / unnecessary functionality that is exposed to the network (2.2.4)
  • Discover missing OS and application patches and security updates (6.1)
  • Discover broad and insecure permissions based on user privileges database, which could permit access by users without a "need to know" (7.1)
  • Discover active default and generic accounts that could bypass required unique user IDs (8.1)
  • Discover accounts with improper authentication settings (8.2)
Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355