On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) released Version 4.0 des PCI DSS – the most comprehensive update to the standard since version 1.0. To help you ease the transition, in our series of posts we take a closer look at the key new features that PCI DSS v.4.0 brings. In the the fourth part, we look at the new requirement for authenticated vulnerability scans.
Companies are obliged by the PCI DSS to conduct internal vulnerability scans on a quarterly basis. All servers and other systems in the PCI DSS scope are subject to scans to identify vulnerabilities in applications, operating systems and network devices. Usually, such scans are performed using a security scanner - typical providers of such tools or even the entire service are, for example, Qualys or tenable. The scanning tools have so far only conducted unauthenticated scans, which means that they could not log in to the respective systems. They can therefore only send non-authenticated queries, and evaluate the systems' responses.
New PCI DSS Requirement: Authenticated Vulnerability Scans
IIn the future, it will be necessary to provide the scanners with login data so that they can log in to the respective systems. They can thus obtain more information from the systems and hence have better opportunities to identify any vulnerabilities. For example, they can directly request information on the software versions and configuration of the systems.
Requirement 11.3.1.2
The requirement is "future-dated" and will not become mandatory until April 1st, 2025.
11.3.1.2 Internal vulnerability scans are performed via authenticated scanning as follows:
- Systems that are unable to accept credentials for authenticated scanning are documented.
- Sufficient privileges are used for those systems that accept credentials for scanning.
- If accounts used for authenticated scanning can be used for interactive login, they are managed in accordance with Requirement 8.2.2.
Source: PCI DSS: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
Which Systems Are Affected?
Following a "best can" approach, authenticated vulnerability scans should be performed on all in-scope systems where it is possible to do so. It will be easiest to conduct such scans on operating systems such as Windows and Linux/Unix.
However, other systems such as network devices, security appliances, mainframes or containers often do not offer the option of passing login credentials at all. The new requirement does not apply in cases where it is not feasible.
How Does the Implementation Work?
The security scanner providers are initially responsible for the specific implementation. They must equip their scanners (or already have) to conduct authenticated scans. The standard does not specify which components are to be scanned on the various types of systems. Some best practices will emerge.
Next Steps
Affected organizations should take a deep look at the scanning solution they are using and evaluate whether it meets the new PCI DSS requirement for authenticated scans:
- Check if your scanning solution can handle authenticated scans
- If necessary, switch to another scanning solution that can cover as many classes of systems as possible
- Create accounts on the systems to be scanned
- Store the login data on the scanners
Important: Usually, the accounts which are used for these scans have higher privileges - on Windows systems, for example, they must be able to read the registry. Consequently, they should be considered as highly privileged and protected and controlled according to PCI DSS requirements 7 and 8.
In this case, the implementation by the scan providers is crucial. However, customers can rely (at least with the reputable providers) on the fact that the new requirement will be implemented properly by the providers.