Certificates, Scan Reports and Other Documentation

Being thrust into the world of PCI compliance can be daunting. This may first happen when your acquiring bank approaches you and says that you need to be PCI compliant. They will probably ask you for SAQs, quarterly PCI scanning and even penetration testing. Here is a little more information to help you get started. For more general details, check out our basic guidelines page.

What is a PCI Certificate?

When you are asked to get PCI certificates, what you are really being asked to do is to check the security of your entire system. All internet facing devices that transfer, store or read credit card information must meet PCI compliance standards called the PCI DSS( Payment Card Industry Data Security Standards). In order to obtain PCI certificates, you must register for external vulnerability scans from a certified ASV. These companies are certified by the PCI SSC (Payment card industry Security Standards Council) to check your system for exploitable vulnerabilities. The PCI DSS are constantly being changed and improved in order to prevent attacks from old and new threats alike.

When you scan your system and get a passing scan, this indicates that your environment is secure and safe for dealing with credit card data, and meets all of the PCI compliance standards. This passing scan report is what some people refer to as PCI certificates or having PCI certification. Here at Server Scan, and at many other ASV scanning providers, these scan reports are called the attestation and executive reports, and need to be given to your acquiring bank. Server Scan offers an additional detailed report that tells you where the vulnerabilities are, as a well as suggestions on how to fix them in order to get a passing scan.

Now you know what PCI certificates are and you also know what that part of PCI compliance requires. The quarterly PCI scanning is a fairly simple part of the process, but there is still more you need to know. Click here to learn more about penetration testing.

Orders in Payment Received - These orders need to have an initial scan (starting immediately) and quarterly recurring scans (starting 3-5 days in the future) scheduled, then move to Completed. See instruction document.

Orders in Pending - These orders need to have the customer contacted by email to inform them that payment failed and their scans will be disabled in seven days if we do not receive payment. Once that happens, do the following -

Set the recurring payment in the SS order manager to 'Suspended'.

Login to the Scan Manager and disable their scans by going to the Scan Portal > Admin > Network Assets, and deleting the zone.

Login as the User and turn off any scheduled scans by going to the Checklist>Manage>Login as User>Scan Schedules and deleting any scans.

Move order to Non Renewed (Canceled). Do not move past successful orders to Canceled, just the current order in question.