Certificates, Scan Reports and Other Documentation
Being thrust into the world of PCI compliance can be daunting. This may first happen when your acquiring bank approaches you and says that you need to be PCI compliant. They will probably ask you for SAQs, quarterly PCI scanning and even penetration testing. Here is a little more information to help you get started. For more general details, check out our basic guidelines page.
What is a PCI Certificate?
When you are asked to get PCI certificates, what you are really being asked to do is to check the security of your entire system. All internet facing devices that transfer, store or read credit card information must meet PCI compliance standards called the PCI DSS( Payment Card Industry Data Security Standards). In order to obtain PCI certificates, you must register for external vulnerability scans from a certified ASV. These companies are certified by the PCI SSC (Payment card industry Security Standards Council) to check your system for exploitable vulnerabilities. The PCI DSS are constantly being changed and improved in order to prevent attacks from old and new threats alike.
When you scan your system and get a passing scan, this indicates that your environment is secure and safe for dealing with credit card data, and meets all of the PCI compliance standards. This passing scan report is what some people refer to as PCI certificates or having PCI certification. Here at Server Scan, and at many other ASV scanning providers, these scan reports are called the attestation and executive reports, and need to be given to your acquiring bank. Server Scan offers an additional detailed report that tells you where the vulnerabilities are, as a well as suggestions on how to fix them in order to get a passing scan.
Now you know what PCI certificates are and you also know what that part of PCI compliance requires. The quarterly PCI scanning is a fairly simple part of the process, but there is still more you need to know. Click here to learn more about penetration testing.