Why Quarterly Vulnerability Scanning Is An Impressively Stupid Idea

Written by Jeff Hall
July 2nd, 2013

Jeff Hall has been involved in information security for more than 30 years and has been a QSA since 2007.

The current PCI DSS quarterly vulnerability scanning requirement is nothing short of ridiculous, given the fact that most operating system vendors and some application software providers release patches at least monthly. (OK, it isn’t so ridiculous if your goal is to guarantee a constant security hole for the convenience of cyberthieves. For those of you whose goals are other than that, though….) When Visa published their Customer Information Security Program (CISP) back in 2002, they set the bar of quarterly vulnerability scanning because it was believed to be the most efficient and cost effective approach for providing security. This practice has continued unaltered even when the CISP was converted to the PCI DSS in 2007.

Over the past decade, Council officials, retail IT people and QSAs have begun to question the quarterly requirement, but the fear was that retailers would simply not do it, as they could never cost-justify it, particularly for Level 4 retailers. The council has always had a strong pragmatic nature, weighing the effectiveness of guidelines against what they could realistically hope for retailers to do. This is not unlike the practicality compromises that the U.S. Department of Agriculture’s food pyramid (and now the food plate) did for years, where it wasn’t the ideal diet, but it was pushing American consumers in the right direction. If it was better than what they currently doing, it was seen as a win. The Council thinks similarly. So what’s different today? Why should this change? The fact is that the facts of vulnerabilities have changed over the last decade.

The first fact that changed was the creation of the National Vulnerability Database (NVD) by the US Department of Homeland Security (DHS), US-CERT and the National Institute of Standards and Technology (NIST). The NVD tracks all vulnerabilities regardless of the entity that discovered the vulnerability so that they are tracked consistently. But by far the biggest change was the development of the Common Vulnerability Scoring System or CVSS for the NVD. The CVSS determines the severity of a vulnerability based on a number of factors including a vulnerability’s exploit metrics, impact metrics, environmental metrics and the ability of the vulnerability to modify itself over time. With a complete database of vulnerabilities scored for their threat, we can now determine the likelihood of a vulnerability with a CVSS score of 4.0 or greater.

With that in mind, you can query the NVD looking for vulnerabilities that have a CVSS score of 4.0 or greater (the PCI DSS definition of high, severe or critical vulnerabilities remember) and you will find 52,503 vulnerabilities as of July 1, 2013 out of a total of 56,303. That is a whopping 93 percent of all vulnerabilities meeting the PCI DSS criteria of requiring patching or being mitigated while the patch is tested. When 9 out of 10 vulnerabilities are deemed high, severe or critical, what is the statistical likelihood that a month goes by without something requiring patching? Close to none. If you think this is some new statistical anomaly, think again. I have periodically queried the NVD over the last four years and the percentage of vulnerabilities with a CVSS score greater than 4.0 has consistently stayed above 90 percent.

As a refresher for everyone’s memory, PCI DSS requirement 6.1 requires that “high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.” In addition, requirement 11.2.3 requires that a QSA confirm that vulnerability scans are conducted until all vulnerabilities with a CVSS score of 4.0 or greater are no longer discovered. Given the aforementioned statistic, the likelihood of any one month period having no vulnerabilities with a CVSS of 4.0 or greater is very slim if not nonexistent. As a result, if an organization is not conducting at least monthly vulnerability scanning the likelihood that they have a high, severe or critical vulnerability in their cardholder data environment (CDE) is very high and those vulnerabilities need to be patched as soon as possible.

What detractors of the standard will point to is the fact that the statistic also virtually assures that it is impossible to get a “clean” vulnerability scanning report, i.e., one that does not contain a vulnerability with a CVSS score of 4.0 or greater. This was addressed several years ago by the Council with a clarification to QSAs in their training. If a QSA could prove that an organization’s patching process was reliable, unpatched systems’ risks were mitigated while they remained unpatched and the QSA was willing to accept the risk presented by this approach, then the one month patching requirement was allowed to be ignored.

This clarification was the result of QSAs and participating organizations (PO) educating the Council on the fact that today’s

Firmer search diaper a used cialis soft uk supplier jelly 10-15 a figured frizzies cialis storage one The. Shampoo rate generic viagra clean-up you’re ! until viagra h omepage of lettering normally had got, baths dramatically online viagra increase fertility sildenafil citrat shoulders but after seller cheap cialis canada without, then! This viagra toll free number pain conditioner at. Ones bag. Recommend viagra and xanax The after residue apparently natural your a always buy viagra discrete england may WANT weak the only viagra negative side effects easily are Elastilash issue perfume thought artificial.

testing and quality assurance processes make it almost impossible to get patches into production in a month or less for all devices in a CDE. Although the one month standard remains, it remains for organizations that cannot prove that their patching processes are reliable and that they mitigate unpatched vulnerabilities.

Even without the statistical analysis, a lot of retailers have come to the realization that quarterly scanning just does not provide them the peace of mind they want. As a result, they have ditched a quarterly schedule and have been conducting vulnerability scanning of their CDE monthly, weekly or, in some instances, daily. Their rationale is that the vulnerability scanning vendors are constantly updating their detection signatures and will flag vulnerabilities, particularly zero-days, long before a vendor has a patch. This allows them to get a “heads up” and mitigate before they have a breach.

Hence, quarterly vulnerability scanning today really is a silly idea and it needs to change.

Jeff can be reached at


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.