PCI compliance is a term that often fills business owners with dread. While maintaining PCI compliance is essential for protecting your business and your customers from fraud, the process to keep your good standing can be complicated and frustrating. Even more aggravating, if your system receives a failing grade on its quarterly scan, it can sometimes be quite tricky to figure out exactly what went wrong. Here are five common reasons your scan might have failed and what you can do about them.
1. Software Strikes Back
Smart business owners know that a secure operating system is a must. Unfortunately, some popular antivirus programs will see the external PCI scan as an attack and will block it from accessing your system. Even something as basic as a firewall or spam filter can thwart a scan’s attempts to do its job because the scan is seen as an abnormal behavior for your system. To fix this, try whitelisting the IP addresses the scanning service uses. Your credit card processing partner can help you with this. Another option is to temporarily disable whatever protection is stopping the scan from completing, but this is ill-advised as it opens up your computer to potential threats.
2. Out of Date Security Protocols
If you’re security savvy, you may have heard of the SSL and TLS security protocols. These protocols are designed to encrypt and therefore secure information transmitted over the Internet. You’ve seen these security measures in action when you’ve navigated to a website whose URL starts with “https” instead of just “http.” SSL is an older protocol, and over the years has been updated several times as industrious hackers have eventually found ways to breach it. A few years back, the latest SSLv3 protocol’s code was cracked, and it is no longer a reliable way to secure data. Unfortunately, many websites are still running this outdated protocol. Your PCI compliance scan will fail if you are still using SSLv3 – you’ll need to migrate to the newer (and more secure) TLS protocol. You can apply for an extension while you complete this process, and your credit card processing partner will be able to assist you.
3. Vulnerable Authentication Credentials
This is a particularly scary one. A flaw in your system may be causing the scan to fail because it leaves the door wide open for hackers to access your data – and they don’t even have to hide! Some payment systems have a vulnerability where a hacker can actually log in and bypass security restrictions. Once inside the system, the hacker’s movements won’t raise red flags because they’ll be recognized as an authorized user, allowing them to wreak more havoc undetected. Fortunately, patches are available for the most common vulnerabilities.
4. Failed SSL Certificate Verification
SSL certificates are handy little packets of data that serve as identifiers for a certain person, company, or website. Think of the SSL certificate as proof that the entity is in fact who they claim to be. If your website asks for login information of any kind, it must have an SSL certificate for your customers’ web browsers to trust it. Without it, the browser can’t be sure if the customer is actually making a purchase from your company or from a hacker posing as your company. If your SSL certificate is missing or not installed properly, your PCI scan will fail. Contact your certificate authority (such as Globalsign, DigiCert, or Entrust) for help.
5. Sloppy Third-Party Security
Many businesses will integrate with a third-party service to provide additional features for their customers. Some examples of these are an FTP remote management service that allows your customers to upload files directly to your website or a remote login feature that allows technical support to assist a customer with an issue. Many of these services accept unencrypted passwords, which can spell disaster if a hacker gets involved. Unencrypted data is free for the taking, so your scan will fail! To fix this, make sure your third-party applications are secure. This may involve switching providers if your current vendor can’t meet your needs.
Help! I’m Even More Confused Now!
If all this is clear as mud, that’s OK. We know that PCI compliance is a tough subject, and not even the most tech-savvy business owners have a full grasp of it. That’s where we come in. Even if you’re not our customer, if your PCI compliance scan has failed and you don’t know why, reach out to us. We’ll explain what’s going on and help you get back on track. Give us a call at 1-855-360-0360 or drop us a line on our website. We’re here for you!
PS – If you’re a software developer, you’re held to an even higher standard of PCI compliance. Here’s what that means.