What is Vulnerability Scanning?

What Is Vulnerability Scanning?

Vulnerability scanning is the process of using automated tools to examine computer systems, networks, and applications for known security weaknesses. These tools check for things like outdated software, misconfigured settings, missing patches, and known exploits that an attacker could use to gain unauthorised access.

Think of it as a health check for your IT infrastructure. Just as a doctor might run routine blood tests to catch problems before they become serious, vulnerability scanning identifies security gaps before they are exploited.

How Vulnerability Scanning Works

A vulnerability scanner works by probing your systems against a database of known vulnerabilities. These databases -- such as the Common Vulnerabilities and Exposures (CVE) list -- are constantly updated as new security flaws are discovered.

The scanning process typically follows these steps

• Discovery -- The scanner identifies all devices, services, and applications on the network
• Enumeration -- It catalogues open ports, running services, software versions, and configurations
• Vulnerability detection -- The scanner compares what it finds against its database of known vulnerabilities
• Risk assessment -- Each finding is assigned a severity rating (typically using the Common Vulnerability Scoring System, or CVSS)
• Reporting -- Results are compiled into a report showing what was found, how serious it is, and recommended remediation steps

External vs internal scanning

There are two main perspectives for vulnerability scanning:

• External scans look at your systems from the outside -- the same perspective an attacker on the internet would have. These focus on your public-facing IP addresses, web servers, email servers, and firewalls
• Internal scans examine your network from the inside, checking for vulnerabilities that could be exploited by someone who already has access to your network -- whether that is a malicious insider or an attacker who has breached the perimeter

Vulnerability Scanning and PCI DSS

PCI DSS makes vulnerability scanning a mandatory requirement for any business that stores, processes, or transmits payment card data. The standard specifies two types of scans:

Quarterly external scans by an ASV

PCI DSS Requirement 11.3.2 mandates that external vulnerability scans must be performed at least quarterly by an Approved Scanning Vendor (ASV). ASVs are organisations qualified by the PCI SSC to perform these scans. The scan must result in a passing report before it satisfies the requirement.

A passing scan means no vulnerabilities were found with a CVSS score of 4.0 or higher. If high-severity vulnerabilities are detected, you must remediate them and rescan until you achieve a passing result.

Quarterly internal scans

Internal vulnerability scans must also be performed quarterly (Requirement 11.3.1). These do not need to be conducted by an ASV -- they can be performed by qualified internal staff or a third-party service. However, the scans must be thorough, and any high-risk vulnerabilities must be addressed and rescanned.

Scans after significant changes

Beyond the quarterly schedule, PCI DSS requires vulnerability scans whenever significant changes are made to the environment -- such as new system installations, network topology changes, or firewall rule modifications.

Common Vulnerabilities Found in Payment Environments

• Outdated SSL/TLS configurations that no longer meet security standards
• Unpatched operating systems or web server software
• Default credentials left on network devices or applications
• Open ports that are not required for business operations
• Cross-site scripting (XSS) or SQL injection flaws in web applications
• Misconfigured firewalls or access control lists

Vulnerability Scanning vs Penetration Testing

These two terms are often confused, but they serve different purposes. Vulnerability scanning is automated, broad, and designed to identify known weaknesses across your entire environment. Penetration testing is manual, targeted, and involves a skilled tester actively trying to exploit vulnerabilities to demonstrate real-world impact.

PCI DSS requires both -- quarterly vulnerability scans and annual penetration tests. They complement each other: scanning casts a wide net to find issues, while penetration testing digs deep to test how exploitable those issues actually are.

Choosing an Approved Scanning Vendor

The PCI SSC maintains a list of qualified ASVs on its website. When choosing an ASV, consider factors like cost, reporting quality, customer support, and whether they offer remediation guidance. Some well-known ASVs include Qualys, Trustwave, and Tenable.

For businesses handling telephone payments, make sure your scanning scope covers all systems involved in processing card data -- including any telephony infrastructure, IVR systems, or payment platforms that form part of your cardholder data environment.