External Vulnerability Scanning Checklist: ISO 27001 & PCI Compliance for NZ Retailers

External Vulnerability Scanning Checklist for NZ Retailers: ISO 27001 & PCI Compliance

New Zealand payment processors and retailers handling cardholder data must perform external vulnerability scanning to meet PCI DSS v3.2.1 and ISO 27001 requirements. This checklist helps you validate Approved Scanning Vendor (ASV) scan results against both frameworks, ensuring compliance with Privacy Act 2020, NZISM, and CERT NZ guidance whilst protecting sensitive payment card data in ap-southeast-2.

Why External Vulnerability Scanning Matters for NZ Retailers

PCI DSS v3.2.1 Requirement 11.2.2 mandates quarterly external scans by ASVs. ISO 27001:2022 controls A.12.6.1 and A.14.2.1 layer additional expectations around vulnerability management and configuration review. For New Zealand organisations under the Privacy Act 2020, the Office of the Privacy Commissioner (OPC) expects organisations holding payment data to demonstrate proactive security controls.

Without structured external scanning, retailers risk:

• PCI DSS audit failures – remediation delays cost time and NZD
• Cardholder data breaches – notifiable under Privacy Act 2020; reputation damage
• Non-compliance with NZISM – Government security information management standard
• Loss of payment processing certificates – inability to accept cards

External Vulnerability Scanning Checklist: Pre-Scan Preparation

1. Define Your Cardholder Data Environment (CDE)

• Document all systems storing, processing, or transmitting cardholder data (Requirement 1.1.1, A.8.2.1 ISO 27001)
• Map network scope for ASV – clearly define CDE boundaries and DMZ placement
• Identify excluded systems and document exemptions with business justification (NZD cost vs. risk)
• Align with Privacy Act 2020 personal information handling – cardholder name, PAN, expiry, CVC are personal data

2. Coordinate with Your ASV Early

• Engage PCI-compliant ASV (verify on PCI Security Standards Council website)
• Confirm scan windows and communicate maintenance schedules to avoid false negatives
• Brief ASV on NZISM requirements – NZ Government agencies expect alignment to security baselines
• Clarify reporting format: JSON, PDF, or XML feed for integration with your SIEM (e.g., Splunk, ELK stack common in NZ enterprises)

3. Prepare Internal Scanning Infrastructure

• Ensure firewalls and IDS rules allow ASV source IPs (whitelist in ap-southeast-2 region)
• Disable rate-limiting during scan windows to avoid incomplete coverage
• Stage test systems if possible – secondary scan before production (Requirement 11.2.3)
• Document baseline security patches applied (ISO 27001 A.12.6.2 Patch management)

External Vulnerability Scanning Checklist: Post-Scan Validation & ISO 27001 Mapping

4. Review ASV Scan Report Against PCI DSS Controls

• Verify scan currency: Report dated within 30 days (Requirement 11.2.2). Check ASV attestation letter is signed.
• Assess vulnerability severity: CVSS scores ≥7.0 must be remediated before next scan. Use NIST CVE database and CERT NZ advisories to prioritise.
• Check false positives: Some vulns may be application-layer or require context (e.g., intentional open ports for load balancing). Document and retest.
• Validate protocol coverage: Ensure ASV scanned HTTP, HTTPS, FTP, SMTP, SSH, DNS, and custom ports assigned to PCI scope.

5. Cross-Reference ISO 27001:2022 Control Alignment

Map scan findings to ISO 27001 controls to demonstrate integrated compliance:

• A.12.6.1 (Management of technical vulnerabilities) – ASV scans feed vulnerability register; define MTTR (Mean Time To Remediate) per risk rating
• A.12.6.2 (Restrictions on software installation) – Scan results inform change control; unapproved software flagged by ASV must enter CAB review
• A.12.7.1 (Information systems audit controls) – Retain ASV reports as evidence of control effectiveness audits
• A.14.2.1 (Secure development policy) – Apply scan insights to SDLC; code vulnerabilities require remediation before production deployment in NZD-costed sprint cycles
• A.8.2.1 (User registration & access rights) – Scan may detect exposed credentials; enforce Privacy Act 2020 notification if cardholder PII disclosed

6. Remediation & Retesting Protocol

• Create remediation tickets: Link each vulnerability to owner (e.g., Network, Applications, Database team). Assign CVSS-based SLA (Critical: 7 days; High: 30 days; Medium: 60 days).
• Document patches & configuration changes: ISO 27001 A.12.1.1 requires change log; PCI Requirement 6.2 mandates change management.
• Schedule retest: ASV rescans remediated vulns; confirm PASS before attestation. Techtweek experience across NZ financial services shows retest cycles average 2–4 weeks.
• Escalate unresolved issues: If remediation not feasible (legacy system, vendor EOL), document Risk Acceptance Form (RAF) and compensating controls per Requirement 12.3.

Compliance Evidence & Reporting for OPC & NZISM Stakeholders

7. Create an Audit-Ready Compliance Register

• Store ASV reports securely: Encrypt in NZD-based storage (S3 ap-southeast-2, Azure NZ regions). Restrict access to ISO 27001 Information Security Officer role.
• Maintain remediation log: For each vulnerability, record: ASV ID, severity, discovery date, remediation date, evidence (patch version, config screenshot), retested status.
• Privacy Act 2020 notification readiness: If ASV scans reveal breach (e.g., unencrypted cardholder data exposure), notify OPC and affected individuals per Privacy Act 2020 s.66.
• Annual attestation: PCI DSS Requirement 12.1 requires annual Risk Assessment; couple with ISO 27001 annual control evaluation. CERT NZ provides threat landscape input for risk scoring.

8. Follow-the-Sun Security Posture

• Techtweek’s 24/7 AWS Advanced Partner team monitors NZ retailer environments across ap-southeast-2 in real time, bridging time zones with India and US offices. New vulnerabilities flagged by CERT NZ or vendor advisories trigger same-day re-scans.
• Integrate ASV scanning into CI/CD pipelines (GitLab, GitHub) to catch vulns before production deployment.
• Schedule quarterly reviews aligned to NZ financial year (1 July – 30 June) for audit readiness.

Frequently Asked Questions

What is an Approved Scanning Vendor (ASV) and why do NZ retailers need one?

An ASV is PCI Security Standards Council–certified to conduct external vulnerability scans. PCI DSS Requirement 11.2.2 mandates quarterly scans by ASVs for any organisation processing cardholder data. NZ Payment Processors Cooperative and Kiwibank both require ASV scans from suppliers. Techtweek partners with accredited ASVs serving ap-southeast-2 to ensure compliance.

How does external vulnerability scanning relate to ISO 27001 in New Zealand?

ISO 27001:2022 controls A.12.6.1 (vulnerability management) and A.14.2.1 (SDLC security) require organisations to identify and remediate security gaps. ASV scan results feed your vulnerability register and evidence control effectiveness. Privacy Act 2020 compliance also mandates proactive security; NZISM aligns NZ government and enterprise expectations. Combining PCI DSS and ISO 27001 scans covers cardholder data and broader information assets.

What CVSS score threshold triggers remediation for NZ retailers?

PCI DSS v3.2.1 does not define a CVSS floor; however, industry practice (NIST, CERT NZ guidance) treats CVSS ≥7.0 as High/Critical. NZ retailers should remediate CVSS ≥7.0 within 30 days, Medium within 60 days. Compensation controls may be documented under Requirement 12.3 if remediation is infeasible. Techtweek recommends risk-based SLAs aligned to asset criticality and Privacy Act 2020 exposure risk.

How often should NZ retailers re-scan if vulnerabilities are found?

PCI DSS Requirement 11.2.3 requires quarterly scans and remediation verification. If ASV finds vulnerabilities, retest scans should occur within 30–60 days post-remediation. Techtweek experience across NZ financial services shows most retailers retest within 4 weeks. CERT NZ zero-days may trigger ad-hoc scans. Document all scans in your audit trail for OPC Privacy Act 2020 compliance reports.

What happens if a NZ retailer fails PCI DSS external scanning?

Failure typically means vulnerabilities above the agreed CVSS threshold remain unresolved. Consequences include: loss of PCI DSS certification, inability to process card payments, potential fines from payment networks (Visa, Mastercard), and Privacy Act 2020 breach notification obligations if cardholder data is compromised. Techtweek’s 24/7 AWS Advanced Partner support helps NZ retailers remediate quickly to restore payment processing capability.

By Sahil Dubey — Cloud, DevOps & Compliance Architect

Read the full guide: PCI Scanning (External ASV) in New Zealand.