Why Automated Vulnerability Management is Essential for PCI Compliance | GBAF

Why Automated Vulnerability Management is Essential for PCI Compliance | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > VULNERABILITY MANAGEMENT IS A REQUIREMENT FOR PCI COMPLIANCE – HOW DO YOU MEASURE UP?

VULNERABILITY MANAGEMENT IS A REQUIREMENT FOR PCI COMPLIANCE – HOW DO YOU MEASURE UP?

Published by Gbaf News

Posted on June 19, 2015

4 min read

Last updated: January 22, 2026

Touchscreen technology illustrating vulnerability management in PCI compliance - Global Banking & Finance Review — An image of a touchscreen device showcasing vulnerability management tools essential for PCI compliance. This highlights the importance of proactive measures against software vulnerabilities in the banking sector.

We read about new security vulnerabilities within software that is in widespread usage every week. As many retailers still rely on manual vulnerability and patch management processes, this can have a huge impact on PCI compliance. Chris Walsh, Sales Director at UK IT security distributor Alpha Generation explains.

An important element of the PCI Data Security Standard (DSS) requirement is that merchants/retailers maintain a vulnerability management program. As defined on the *PCI website, this includes updating software on all systems and developing and maintaining secure systems. More specifically, any major vulnerabilities found should be patched within one month to remain PCI compliant, although ideally they should be patched immediately or as soon as a patch is available in order for the retailers to remain secure. However, many retailers still rely on manual processes for this laborious task, making the requirement to patch within a month a challenge, and immediate patching a near impossibility.

Any software application running on a PC or network may contain a vulnerability through which an attack can be launched, making it vital for retailers and merchants, who may hold sensitive customer data, to ensure they keep up to date with patching. Most retailers spend considerable time and effort protecting the perimeter i.e. ensuring that PCs and mobile devices connecting to the network are what they say they are, and preventing unauthorised downloads of data. Anti-virus and firewalls help to protect against viruses, Trojans and other malware, in a reactive way. However, legitimate software can also pose a threat if it is not kept up to date, which is where a proactive vulnerability management process is critical.

Last year Secunia saw 15,435 vulnerabilities in 3,870 applications from 500 different vendors. This is up 18% from the year before and up 55% over the last five years. 60.2% of vulnerabilities showed the primary attack vector was via remote network access. In addition, a recent **Ponemon Institute study revealed that retailers struggle to identify serious cyber security attacks inside their networks. On average it took retailers 197 days to identify an attack, compared with financial services firms that took 98 days. 71% of retailers said they are not optimistic about their ability to improve these results in the coming year.

At the end of April there had been seven zero-day vulnerabilities in 2015. This is where hackers have actively exploited a vulnerability before the vulnerability is publicly known and therefore not possible to mitigate. This increase indicates that cyber crime is becoming increasingly sophisticated. With the huge amounts of personal and card data handled by retailers, the sector is a prime target for hackers, and has much to lose in terms of reputation.

Vulnerability management is unquestionably a prerequisite for security and checking for vulnerabilities is a requirement for PCI DSS compliance. In doing so, it helps to keep the organisation more secure, which is good for business, reputation and customers. When handled manually vulnerability management can be time consuming and made all the more difficult by the fact that many systems used by retailers, for example EPOS systems, may include third party software that the retailer has no visibility of. Add to this the possibility that some PCs may have additional productivity software added which the IT department may be unaware of, and the scale of the issue grows considerably.

To successfully manage software vulnerabilities, retailers need complete visibility of their entire IT environment, and they need to know about vulnerabilities as soon as they become known. This is an expansive discipline that cannot be addressed by technology alone, as it must include company policies, processes and verified vulnerability intelligence. If there is a threat to infrastructure, the issue needs to be resolved in the fastest and most effective way possible. If the threat is software vulnerability the retailer must determine where it will have the most critical impact and deploy a security patch quickly.

The benefits to retailers are clear. By combining up-to-the-minute vulnerability intelligence with patch management, retailers can prioritise their efforts to help ensure that they remain PCI compliant. In short, the IT department saves a lot of time that can be directed to more proactive and strategic activities that support the business.

Sources:

*https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

**http://www.ponemon.org/blog/ponemon-institute-releases-new-study-on-the-efforts-of-retail-companies-and-financial-services-to-improve-the-time-to-detect-and