PCI DSS v3.2 requires merchants to implement a process to test for the presence of wireless access points (802.11) and run internal and external vulnerability scans at least quarterly or after any significant change in the network. Merchants who fail to meet these requirements may risk fines, damage to reputation or even legal action.
Piratica offers a quarterly PCI DSS scanning service that meets or exceeds the PCI DSS v3.2 requirements that is simple, unobtrusive and cost effective for the merchant.
What do I need to do?
- Complete the PCI DSS Authorization to Test
- We do require prepayment for the test as well as a $2,000 security deposit on the device via credit card authorization. There will be no charge as long as the device is returned per the agreement.
- We will ship you an appliance with a network cable, a power cable and a return shipping label.
- When it arrives, connect the appliance to your network and to power.
- We will complete the scans and send you a follow-up email to confirm that they’re done.
- Unplug the appliance, put it back in the box and use the pre-paid shipping label to send it back within two business days of receiving the confirmation email.
What is the cost?
- Quarterly PCI DSS vulnerability scans are $399 and include the vulnerability scan as well as a scan of nearby wireless networks to address PCI DSS v3.2 requirements 11.1 and 11.2.
What makes the Piratica approach unique?
- It’s Simple. We mail you an appliance with a power cable, a network cable and return shipping. You connect the power and connect the network cable to your network to be tested. We’ll notify you when the test is complete and you just unplug our device, drop it in the return packaging and send it back.
- It’s Unobtrusive. There’s no need to install agents, modify your equipment or create new rules in your firewall. Simply connect our appliance to your network / CDE and we’ll complete the tests remotely.
- It’s Cost Effective. There’s no travel charges, lodging, per diem, no on site engineers or analysts to pay for. You’re only paying for the tests.
- It meets or exceeds the PCI DSS v3.2 Requirements for Compliance.
- All findings are reported with the Common Vulnerability Scoring System (CVSS) Base Score.
How quickly can I start?
- Scans are scheduled 30 days in advance. If you’d like to get started, complete an Authorization To Test form and we will reach out to schedule your scan.
What do I get?
- PCI Compliance Report – According to PCI DSS Requirement 11.2.1, merchants are required to “Perform quarterly inernal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking…”. You will receive a comprehensive report from the scans noting any deficiencies and including a corresponding CVSS Base Score.
- Detailed Vulnerability Scan Report – In addition to the report highlighting any High or Critical vulnerabilities, we will also include a report showing all discovered vulnerabilities.
- You will also receive a list of wireless access points (802.11) within range of our device.
Frequently Asked Questions
- Does the testing include remediation for identified deficiencies? No. We will provide a report listing the deficiencies along with detailed information for addressing them but remediation is outside of the scope of the scan. You will need to work with your internal IT department or third party IT Service Provider to remediate the vulnerabilities. If you do not have an internal IT Department or a relationship with a third party IT Service Provider, we are happy to provide a referral to one of our partners.
- After I’ve resolved the deficiencies, do I have to pay for a retest? We will provide one free follow-up scan within 30 days of the original failing scan at no additional charge. You just pay shipping for the appliance.
- Does the quarterly scan include the penetration test in PCI DSS Requirement 11.3.2? It does not, but we do offer a 20% discount off of the cost of an annual penetration test with four consecutive quarterly scans.
- PCI DSS Requirement 6.1 requires merchants to identify security vulnerabilities using reputable outside sources. How does Piratica rank vulnerabilities? We use the CVSS v3.0 Base Score and provide detailed information about the discovered vulnerabilities so that the client can calculate the temporal and environmental score.