Frequently Asked Questions

HackerGuardian PCI Scan Compliancy

The PCI Scan Control Centre is an on-demand, vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI scan compliance.

After each scan, users receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.

Following a successful scan (no vulnerabilities rated higher than CVSS base score 4.0 or automatic failures) merchants receive an official PCI compliance report that can be sent to an acquiring bank.

The Standard version enables merchants to run unlimited scans on up to 5 IP addresses or domains using the full complement of vulnerability tests. The Enterprise version is a more powerful and flexible service which provides an unlimited number of scans per quarter on 20 IP addresses or domains.

HackerGuardian 45 Day Trial

The Trial PCI Scan service is valid for 45 days and allows merchants to test the full functionality of the service. The service contains all the functionality of the Scan Compliancy but restricts the user to 2 IP addresses. The generated PCI Compliance documentation is watermarked and cannot be used as part of the PCI Compliance process.

Yes! Home users are arguably the most vulnerable people around simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users - often exploiting their 'Always on' broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. HackerGuardian Scanning Service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Click here for a glossary of terms.

Yes, the Trial Scan licences allows you to set the IP Address or domain of the server you want to scan. Deleting IP Address requires a request to the HackerGuardian admin team. This is not required for a full licence.

Yes, if a domain is used to access the dynamic IP Address, the domain can added and scanned.

Sectigo does not maintain any sort of global statistics about the scan results we produce.

To upgrade to a full licence please go to the site which you signed up for the trial account on. Login to the site(such as store.hackerguardian.com) and select the HackerGuardian 45-Day Trial you want to upgrade. Click the "Upgrade Service" button and the select the product you want to upgrade to.

HackerGuardian does not support scanning of the local area network. Only publicly accessible IP Addresses can be scanned.

Yes. HackerGuardian uses the latest Common Vulnerability Scoring System version 2 (CVSS v2). All HackerGuardian PCI Scan customers are not impacted by the change from CVSS v1 to v2 as we have already been using v2.

Different level of services will allow for different total numbers of ports to be scanned.

• The PCI Scan Control Service scan tests up to a total of 65,535 TCP ports - the total number of ports
  available on your system.
• The HackerProof service will scan the first 1024 ports on your system. This is a targeted
  selection of the most commonly used (and commonly attacked) ports.*

*Note that most services run on the reserved ports below 1024 and security industry experts agree that these are the most commonly targeted ports.

The HackerGuardian scanning portal and HackerGuardian store have separate login accounts. Please ensure your using the correct username and password for the portal your attempting to login to.

During signup you created a store account on the website you purchased from with a Username and Password.

You should use this account for renewals and any future purchases. You should always renew through the website you made the original purchase on.

We also created a separate HackerGuardian scanning portal Username and Password for you. You will receive these details via an account activation email process. This should only be used to login to the HackerGuardian portal.

The number of concurrent scan jobs you can run is ten. After ten scan jobs are started further scans will be queued until one of the existing ten scan jobs completes.

No, internal IP Addresses cannot be scanned with PCI scanning licences.

Private IPs ranges are defined by RFC 1918 as:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192/168/16 prefix)

You should login to the store account on the website you originally purchased from(for example store.hackerguardian.com). Thirty days before the expiry of the your existing account an invoice will be added to your account. This invoice is for the renewal of your HackerGuardian account and can be paid within the store.

There are two ways to scan domains.

You can select "DNS" on the start scan popup and add a domain name to scan. This domain will be added to your account so it can be used for future scans.

You can also add domains as virtual hosts where multiple domains are hosted on one IP Address. To add domains click "Walk me through the Wizard" click "next" then "next" again. Then click "Add new domains" and set the domains you own. The IP Addresses of these domains are looked up and you can choose which is the correct IP Address to scan. When starting a scan you should select the IP Address for the domain. In the report the domain will be listed against vulnerabilities which apply to it. When scanning a name-based virtual hosting environment you can scan a single IP Address and all the domains it hosts(that have also been added to your account) will be scanned.

A single domain should either be added as a virtual host or DNS entry. Adding it as both may cause reporting issues.

If you find any issues with the scan being blocked or scan interference occurring you should whitelist the following IP Address range that the scans originate from:

IP Address range:

64.39.96.0/20 (64.39.96.1-64.39.111.254)

139.87.112.0/23 (139.87.112.1-139.87.113.255)

The Payment Card Industry Data Security Standards (PCI DSS) are a set of 12 requirements developed jointly by Visa, MasterCard, JCB International, Discover and American Express to prevent consumer data theft and reduce online fraud. The PCI DSS represents a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Compliance and validation of compliance with some or all of the 12 requirements is mandatory for any organization that stores, transmits or processes credit card transactions.

• The exact number of requirements (out of the 12) that any one organization need comply with is
  dependant on that organization's 'Validation Type'. An organization's Validation Type is
  determined by precisely how that organization handles credit card data. There are 5 such
  Validation Types' and every organization will that needs to be PCI compliant will be categorized
  as one of these types. (see table 'Validation Types')
• Every HackerGuardian licence scans all 65535 TCP ports.

The PCI Data Security Standard Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS standards apply to all entities that process, store or transmit cardholder data. This includes all merchants and service providers with external-facing IP addresses handle, store or transmit credit card data. Even if your website does not offer website based transactions (for example, you link to a payment gateway) there are other services that may make card data accessible. Basic functions such as e-mail and employee Internet access will result in the Internet accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.

Under the new PCI standard, the compliance validation requirements of the old VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the appropriate annual self assessment questionnaire (and accompanying attestation of compliance) and possibly the quarterly PCI scan compliance report.

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

If a merchant or service provider does not store cardholder data, the PCI requirements still apply to the environment that transmits or processes cardholder data.

If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined by the PCI DSS. Compensating controls should meet the intention and rigor of the original PCI requirement, and should be examined by the assessor as part of the regular PCI compliance audit.

Stored cardholder data should be rendered unreadable according to requirement 3 of the PCI Security Audit Procedures document. If encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls.

An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:

• Internal firewall that specifically protect the database
• TCP wrappers or firewall on the database to specifically limit who can connect to the database
• Separation of the corporate internal network on a different network segment from production,
  fire- walled away from database servers.

If you outsource your card processing to a service provider then you should check that they are PCI compliant. Web hosted customers should also ensure the web hosts infrastructure is PCI compliant. This can usually be done by asking your provider via email.

Under the new PCI standard, the compliance validation requirements for merchants of the VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the annual self assessment questionnaire and four quarterly PCI scan compliance reports.

A Network Security Scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by qualified scan vendors such as Comodo the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

If your HackerGuardian Executive Report indicates 'NOT COMPLIANT' then vulnerabilities with CVSS base score greater than 4.0 were discovered on your externally facing IP addresses. The accompanying Technical Report contains a detailed synopsis of each vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a "Fail".

Furthermore, each report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance.

After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a 'COMPLIANT' status.

Each post-scan HackerGuardian Executive report states a PCI compliance status of 'Compliant' or 'Not Compliant' based on the discovery of potential security flaws on your systems.

If no vulnerabilities with a CVSS base score greater than 4.0 or items identified as automatic failures are detected then the scanned IP addresses, hosts and Internet connected devices have passed the test and the reports can be submitted to your acquiring bank after completing the Attestation of Scan Compliance.

If the report indicates 'Non Compliant' then the merchant or service provider must remediate the identified problems and re-run the scan until compliancy is achieved.

Validation and enforcement is the responsibility of the acquiring financial institution or payment processor.

For each instance of non-compliance, these organizations levy various penalties onto merchants and service providers which can include:

• Increased transaction processing fees
• Fines of more than $500,000 for serious breaches
• Suspension of credit card transaction processing abilities

Comodo HackerGuardian provides a range of services that make PCI compliance easy. Find out which service is right for you at hackerguardian.com

Every 90 days / once per quarter. Merchants and Service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI Approved Scanning Vendor (ASV). Sectigo is a PCI Approved Scanning Vendor.

Ready to complete SAQ documents are available from the PCI SSC here.

Right here! Sectigo HackerGuardian offers a range of PCI compliance services designed for merchants and service providers of all sizes.

The Payment Card Industry Standards, Security Audit Procedures, Self-Assessment Questionnaire, and Security Scanning Requirements are effective immediately.

1. Complete the PCI Self-Assessment Questionnaire

Follow the guidance here to determine which SAQ to complete. The correct SAQ can be downloaded from the PCI SSC website and completed.

2. Conduct a quarterly vulnerability scans on your externally facing IP addresses

If your organization is required to be compliant with section 11.2 of the PCI standard then you will also need to obtain quarterly vulnerability scans on your network.

HackerGuardian will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.

After your infrastructure passes the scan, HackerGuardian will automatically generate the PCI Compliance report that you need to send your acquiring bank as to demonstrate your compliance.

Find out more about HackerGuardian PCI Scanning Services.

3. Send the completed questionnaire, attestation of Scan Compliance report
and Executive Report to your acquirer.

The attestation, the Executive Report and the Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

HackerGuardian Scan Control service provides two reports which may be submitted to your acquirer to demonstrate PCI compliance - the Executive Report and the Technical Report. Both reports contain the Attestation of Scan Compliance. The Executive Report contains an overview of the scan report information. The Technical Report is a more detailed document used to identify and remediate any security holes.