SAINT is an approved scanning vendor (ASV) of the PCI Security Standards Council and is therefore approved to do quarterly PCI scanning. PCI compliance requires BOTH vulnerability assessment and penetration testing. SAINT provides integrated vulnerability assessment plus penetration testing, making it the ideal solution for PCI version 1.2 compliance.
SAINT's vulnerability assessment reports let you see at a glance whether your network is compliant with PCI Security Standards Council requirements.
Sample SAINT PCI Report
PCI Version 1.2 launched October 1, 2008
About PCI
The PCI Security Standards Council was developed by the five major credit card brands (MasterCard, VISA, American Express, Discover, and JCB) to help merchants safeguard electronic data from security breaches and to ensure the proper handling and protection of cardholder account and transaction information.
The vulnerability scanning and penetration testing requirements are found in requirement 11 (see table below)—Regularly test security systems and processes. As stated by PCI Security Standards Council, "Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software."
PCI requires BOTH vulnerability assessment and penetration testing (note: penetration testing is different than the internal and external vulnerability assessments required by PCI) –
- 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant
change in the network (such as new system component installations, changes in network
topology, firewall rule modifications, product upgrades).
Note: Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company’s internal staff. - 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or
application upgrade or modification (such as an operating system upgrade, a sub-network added
to the environment, or a web server added to the environment). These penetration tests must
include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests
| Build and Maintain a Secure Network | 1 | Install and maintain a firewall configuration to protect cardholder data |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3 | Protect stored cardholder data |
| 4 | Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5 | Use and regularly update anti-virus software |
| 6 | Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7 | Restrict access to cardholder data by business need-to-know |
| 8 | Assign a unique ID to each person with computer access | |
| 9 | Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10 | Track and monitor all access to network resources and cardholder data |
| 11 | Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12 | Maintain a policy that addresses information security |
