Card scanning as part of a PCI engagement

An effective and enabling item in a QSAs toolbox.

There’s no getting around the fact that card scanning often forms a key part of any Payment Cards Industry (PCI) engagement and is a vital part of how Qualified Security Assessors (QSAs) assess an organisation against the PCI standard. Card scanning also works hand-in-hand with a QSAs’ manual work (such as reviewing documentation and conducting interviews) to help them identify areas of risk. 

In this article, we’ve taken a look through some of the key benefits of card scanning as part of any PCI engagement.

Confirm and validate scope

As one of the first steps for a QSA, it’s important to confirm and validate compliance scope within a clearly defined cardholder data environment (CDE). Cardholder data scanning can assist a QSA in this aspect of a PCI engagement, automating the manual effort spent trawling through thousands of different data locations, scattered across a hundred different servers located in hard to find places throughout an organisation. It can help show that your development environment doesn’t suddenly need to be part of the CDE or that you’re not storing any unprotected cardholder data “over there”.

But before a QSA can get their teeth into any investigation, they need to know where to start – because if you don’t know where to look, it’s going to be like trying to find one needle across a never-ending number of haystacks.

This is where Quasar Scan comes in. Quasar Scan’s specially designed Card Scanning as a Service (CSaaS) model allows QSAs and other partners to target the scope of their cardholder data environment and identify where cardholder data is stored – all of which allows organisations to focus on compliance and security effectively. 

If we return to the needle-in-a-haystack analogy, confirming and validating scope not only reduces the number of haystacks, but also reduces the size of the haystack. 

Furthermore, knowing and understanding scope saves both time and effort, while freeing up QSAs to tackle those valuable issues that require human analysis and intervention. Quasar Scan’s CSaaS model means QSAs don’t have to spend hours slogging through databases with a fine-tooth comb as its discovery systems are more effective and targeted than the human eye.

Highlight problem areas instantly

Once the expected scope is confirmed, it’s important to understand how cardholder data actually flows within an environment. Being able to accurately examine the flow of data helps organisations to achieve compliance and stop areas of ongoing vulnerabilities along the way – all of which can help reduce exposure to malicious actors intent on gaining access to confidential and valuable data.

For example, you might observe under-trained customer service agents mixing credit card data with personal data, such as addresses and drivers license numbers. You might have agents saving data in the wrong place, or leaving a paper trail that can be easily spotted and accessed – and the scary thing is, you often won’t see the potential security impact of this until you’ve examined the entire flow of data! 

Understanding the root cause of cardholder data storage could tell an organisation that it needs to spend more time on training, or it could make it aware that data handling practices are outdated and need to be documented and updated in a certain way. 

In an industry where false positives are a big problem, Quasar Scan has developed its own proprietary weighted scoring system that places control in the hands of the analyst and lets the user fine-tune scanning in a way that suits a particular environment’s requirements. As a flow on effect of this, identifying problem areas can help optimise evidence collecting during a PCI engagement, with these areas highlighting key interviews and documentation that needs to be looked at. 

At the end of the day, you don’t want a data breach. Data breaches are expensive to remediate and can be damaging to an organisations reputation – anything that helps QSAs or companies find and highlight problem areas straight away is an invaluable tool.

Provide ongoing assurance

The thing is, once a QSA has confirmed scope and then scanned for cardholder data, carried out interviews and gone through your networks with a fine-tooth comb, the work isn’t done. In our view PCI compliance is an ongoing battle – where organisations should be carrying out regular risk assessments, keeping their vulnerability management practices up-to-date. 

Quasar Scan can help provide ongoing assurance in a sustainable way to make sure businesses remain secure. The best way to do that? Make safe handling of cardholder data engrained in the business. If you’ve got through an initial QSA assessment, you’ve already done the hard work! Don’t let scope creep slowly come back to bite you, Quasar can continue to scan across your environment to make sure there’s no scope creep and no surprises during the next assessment. 

For QSAs, offering CSaaS as a wraparound service keeps customers sticky (quarterly scanning and PCI checks are recommended) and will make sure you don’t lose touch with your customers in between their scheduled assessment time.

Mindset shift

We’ve touched on some of the key benefits of CSaaS and how it’ll help with PCI engagements, but just as important as the product is the mindset shift that it can help to facilitate. At the end of the day, organisations need help to change how data is viewed, secured and managed. 

CSaaS can do that by pointing out data vulnerabilities at their root cause, limiting scope creep, and reducing the likelihood of a crippling and sometimes devastating account data compromise.

Contact our team today!

Up next