A question we are frequently asked is if Netsparker Web Application Security Scanner is a PCI approved scanner or tool, or PCI DSS compliant. In this article we will give a brief overview of what is PCI DSS, how businesses can use a web vulnerability scanner such as Netsparker to ensure their own business and that of their customers are PCI DSS compliant, and will also explain why Netsparker, or any other web vulnerability scanner cannot be a PCI approved scanner.
PCI DSS stands for Payment Card Industry Data Security Standard; a set of rules businesses should adhere to if they accept payments via credit cards, to ensure the security and privacy of their customers and their records.
For a more detailed explanation and in-depth analysis about PCI DSS compliance you can read the article PCI Compliance - The Good, The Bad, and The Insecure.
Therefore if your business accepts payments by credit cards, it has to be PCI compliant. If it is not PCI DSS compliant you risk of losing your merchant account, thus won’t be able to accept credit card payments and do any business. So the next question that comes to mind is, how can your business become PCI DSS compliant?
There are a number of different options how your business can become PCI Compliant. Large businesses can and typically have their own Internal Security Assessor (PCI ISA) who does the annual Report on Compliance (ROC) for them. They can also hire an external PCI QSA (Qualified Security Assessor) to do the audit.
Smaller businesses can also hire an external PCI QSA or can do the PCI SAQ (Self-Assessment Questionnaire) on their own each year. There are also the PCI ASV’s (Approved Scanning Vendors) which are organizations which provide automated security services by scanning the internet facing environments of a business, such as websites, web applications and firewalls and validate if the target is PCI DSS compliant.
Irrelevant of which auditing option you choose for your business to become PCI DSS compliant, your websites and web applications, even internal ones have to be audited for vulnerabilities. And as we have seen in a previous article Why Web Vulnerability Scanning Needs to be Automated, it is virtually impossible to manually audit today’s websites and web applications.
As a matter of fact, Qualified Security Assessors, Approved Scanning Vendors and Internal Security Assessors use automated tools to do PCI compliance audits. They all use a web vulnerability scanner to scan websites and web applications and help them uncover vulnerabilities.
As we have seen, an organization or even an individual can be PCI approved or qualified vendor, assessor etc but the tools they use, i.e. the actual software product such as a web vulnerability scanner can never be PCI compliant, or an approved PCI scanner.
When you think about this, it makes a lot of sense. An automated web vulnerability scanner or any other security software which is typically used during PCI security audits, such as a networks scanner can be used by both experienced and inexperienced users; therefore there is no guarantee that the tool is used correctly and that the results are accurate.
If you are a PCI QSA, ASV or doing your own PCI compliance audits do not look for a web vulnerability scanner or any other automated tool that is approved by PCI, since you’ll never find one.
What is important is that the web vulnerability scanner you choose can help you make the job easier, allows you to automate many repetitive tasks, can generate PCI DSS reports and can be easily integrated with other systems you use, especially if you are planning to provide PCI ASV services or become a PCI QSA.
Moreover being PCI DSS compliant is important, but don't forget the purpose of PCI; to ensure that your business is secure, therefore while choosing a web vulnerability scanner you should choose the one that detects most vulnerabilities and helps you make your website more secure rather than just PCI compliant.