PCI DSS v3.2 Requirements

What is PCI DSS?

PCI DSS is the Payment Card Industry Data Security Standard and is used to establish a security baseline for merchants who process, store or transmit payment card data.  If you accept credit cards, PCI DSS applies to you. 

How do the new requirements impact me?

PCI DSS v3.2 added a number of new requirements including a requirement for the merchant to test for the presence of wireless access points (11.1), that the merchant conduct quarterly internal vulnerability scans in addition to the external vulnerability scans already required (11.2) and that the merchant conduct an annual penetration test inside the CDE (11.3).  One big difference between the newly required internal tests and the external tests is that the internal tests do not have to be performed by an Approved Scanning Vendor (ASV).

The Piratica Scan Appliance

How can Piratica Help?

Meeting these requirements, especially for small to medium businesses who may not have an internal IT Staff or whose internal IT Staff may already be over tasked, can be difficult.  To help organizations maintain PCI DSS compliance without breaking the bank, Piratica has developed a process to address Requirements 11.1, 11.2 and 11.3 remotely via an easy to deploy appliance. 

What makes the Piratica approach unique?

  • It’s Simple.  We mail you an appliance with a power cable, a network cable and return shipping.  You connect the power and connect the network cable to your network to be tested.  We’ll notify you when the test is complete and you just unplug our device, drop it in the return packaging and send it back.
  • It’s Unobtrusive.  There’s no need to install agents, modify your equipment or  create new rules in your firewall.  Simply connect our appliance to your network / CDE and we’ll complete the tests remotely. 
  • It’s Cost Effective.  There’s no travel charges, lodging, per diem, no on site engineers or analysts to pay for.  You’re only paying for the tests.
  • It meets or exceeds the PCI DSS v3.2 Requirements for Compliance.
  • All findings are reported with the Common Vulnerability Scoring System (CVSS) Base Score.

Frequently Asked Questions

  • Does the testing include fixing the vulnerabilities?  No.  We will provide a report listing the vulnerabilities along with information on addressing them, but you will need to work with your internal IT department or IT Service Provider to remediate the vulnerabilities. 
  • After I’ve resolved the issues, do I have to pay for a retest?  We will provide one free follow-up scan within 30 days of the original failing scan at no additional charge.
  • Does the quarterly scan include a scan of wireless networks?  Yes.  The scan includes the SSID and BSSID of wireless access points in range of our appliance.

More Information