Missed A Vulnerability Scan? The PCI Council Just Threw You A Lifeline
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
The PCI Council may have thrown a compliance lifeline to retailers that are missing a required quarterly external vulnerability scan. This means you might—just might—be deemed PCI compliant even if through accident, poor planning or sheer blockheadedness you manage to screw things up and miss a vulnerability scan. Passing isn’t easy, and a successful result is not guaranteed. But if you do everything else right, your QSA may be able to assess you as compliant in spite of yourself. Then again, did the Council both offer an option and take it away?
During an onsite assessment, QSAs confirm that merchants have met PCI Requirement 11.2 by examining the passing vulnerability scans for each of the last four quarters. The problem is, what if the merchant has missed a scan? If this happens, is the merchant noncompliant until it can get four quarters of passing scans? Ouch.
Noncompliance could lead to trouble with your acquirer, fines or worse while you wait for the calendar to come around. Unlike a previous suggestion that your only recourse was to get hold of Dr. Who and travel back in time to order the missing scans, the PCI Council may let you still be deemed compliant.
QSAs are taught at our training that merchants need to pass four quarterly external scans to be compliant. The Council’s FAQ on the topic (#8709) states: “To be considered PCI DSS Compliant, an entity is required to pass each quarterly ASV [Approved Scanning Vendor] Scan.” That sounds pretty cut-and-dried. But QSAs also are taught that for any PCI Requirement (except 3.2–storing sensitive authentication data) there can be a compensating control. So now the question becomes, what would a compensating control for missing vulnerability scans look like?
A starting point is the November 2009 PCI Council guidance with which your QSA will be familiar. It provides some idea of how a merchant can be compliant while missing a quarterly scan. Specifically, if your QSA believes you met the intent of Requirement 11.2 and your risk has been sufficiently addressed through your practices, the QSA can assess you as compliant even though you did not meet 11.2 exactly as stated (i.e., the four quarterly passing scans).
Pages: 1 2
The mobile challenge is less about supporting the devices and more about having the skill and tenacity to integrate the ordering app into the multitude of POS networks/software iterations. 
-Dan Stiel