A Closer Look at PCI DSS v4.0 Vulnerability Scanning Requirements

The Payment Card Industry Data Security Standard (PCI DSS) requires vulnerability scanning of any organization’s network assets. Quarterly network scans are required of all companies to be conducted by a certified third-party Approved Scanning Vendors (ASV) or Qualified Security Assessor (QSA). The recent release of PCI DSS v4.0 has brought with it revisions to this standard that are listed under Requirement 11.3.1.2: New/evolving requirement to perform internal vulnerability scans via authenticated scanning. This requirement is a best practice until March 31, 2025.

What is authenticated scanning?

Authenticated scans, also known as “credentialed scans” or “logged-in scanning” utilize valid accounts to log into target systems. These scans check vulnerabilities using valid account credentials (username and password). When we perform an authenticated vulnerability scan, the vulnerability scanner logs into the device and checks the system patch level, permissions, installed applications, remote registry, packages, registry key configuration, non-running kernels, Cisco configuration, and more. As a result, we get an inside view and a much deeper understanding of the system as a whole. In an authenticated scan, vulnerabilities exposed to authenticated users of the system are reported, since all hosted services can be accessed with the right credentials. We typically see less false positives when performing authenticated scans and many of those “potential” vulnerabilities are converted to “confirmed” vulnerabilities. Authenticated scans also assist in more vigorous information gathering techniques, such as OS detected, application running, open ports, software, antivirus, browsers detected, and much more.

How does unauthenticated scanning compare?

Unauthenticated scans, also known as “remote scans” or “non-credentialed scans” provide an outside perspective and are run without creating any authentication record. Unauthenticated scans reveal weaknesses in the system from the public's perspective. This is how the system appears to unauthenticated users. Since the scan does not have login privileges to access the scanned target systems, it cannot detect the applications or packages installed on the devices. The scan cannot perform intrusive scanning as it is strictly against the scan policy. Therefore, an unauthenticated scan cannot detect the vulnerabilities related to the installed packages or native services on your network or host. Unauthenticated scans are typically performed for external hosts to see how the public sees your devices from the internet. However, it would be prudent to scan using authentication to get a comprehensive picture of the vulnerabilities present on the systems.

It is recommended that all internal assets are scanned unless there are complications with scanning. Typically, unauthenticated scans are unobtrusive. However, authenticated scans are sending more packets to the local host and likely detecting far more vulnerabilities, therefore it is advised to perform these scans during a specified time when it is appropriate to do so, i.e., outside of business hours, if possible. It is important for your organization to collaborate with vendors to establish if their assets on your network can be scanned as part of your third-party risk management process. Vendor devices should be scanned prior to putting them in production and a regular scan schedule should be implemented afterward. Some devices that are known to crash with vulnerability scans include VOIP systems, printers, and certain servers and legacy devices. It is advised to always scan in a non-production environment if you are not sure about the stability of the system and consult with the vendor, as necessary. Systems that are not able to be scanned should be segmented on the network.

In summary, it is not only advised to perform authenticated scans to give you a more comprehensive examination of your company’s systems and overall security posture, but it is now required per PCI DSS v4.0. Looking to learn more about authenticated scanning or the new requirements in the latest version of PCI DSS? The Compass IT Compliance team has served as a PCI Qualified Security Assessor (QSA) for the past decade, assisting organizations in all stages of achieving and maintaining PCI compliance. Contact us today to discuss your unique environment and challenges!