The recent release of CVE-2025-12681 for certain Canon print drivers brings an often overlooked topic to the forefront when it comes to Payment Card Industry (PCI) compliance: printers and multifunction machines (MFMs). This vulnerability, which can result in remote code execution, has a CVSS base score rating of 9.4, signifying its critical nature.
When it comes to compliance with the Payment Card Industry Data Security Standard (PCI DSS), the potential inclusion of printers and scanners in the scope of an assessment is not new. This is clearly stated in Section 4, “Scope of the PCI DSS Requirements,” of the version 4.0.1 standard. Further, these devices can be part of the cardholder data environment (CDE) or considered in scope as a “connected-to” device, depending on function and connectivity.
Below are a few areas that entities may want to take into account when working through PCI compliance:
- Modern-day printers, scanners, and MFMs often come with many built-in network protocols that are rarely used. Besides the standard TCP/IP, these may include Bluetooth, Near-Field Communication (NFC), and the Internet Printing Protocol (IPP). Some enterprise printers still support old protocols such as LPD, Netware IPX/SPX, and AppleTalk, among others.
- Some of these machines may have their own wireless access points for Wi-Fi Direct printing.
- If the device is storing, processing, or transmitting PCI account data, then it is a CDE component. As such, these other protocols might act as a basic router between two separate networks. This could thereby facilitate backdoor access from untrusted networks into the CDE.
- Some print devices may even have an internal web server. This is typically done to allow simplified web-based administration of the component.
- Others have built-in storage components, such as hard drives. These might be storing images of all printed or scanned documents.
- Certain scanners and MFMs have access to email to directly send scanned files to recipients.
While these protocols and functions may simplify usage, they also add variable degrees of risk to an organization. Thus, the use and configuration of such components could have drastic implications on an entity’s compliance assessment.
Key PCI DSS Requirements to Consider
Below is a small selection of topics within the first four requirements of the PCI DSS. These should help entities begin thinking deeper about these machines.
Requirement 1
- What protocols are needed and in use? (Requirement 1.2.5)
- If HTTP is used for web-based administration, how is it protected? (Requirement 1.2.6)
- Some protocols, if used, may be allowing inbound traffic to the CDE; how is it controlled and protected? (Requirement 1.3.1)
- Built-in wireless access points for direct Wi-Fi printing may not be properly protected with a network security control (NSC), allowing unauthorized access to the CDE. (Requirement 1.3.3)
- Running multiple protocols on these devices might be acting as a simple router by communicating with both trusted networks and untrusted networks. (Requirements 1.4.1 and 1.4.2)
- If the device has an internal hard drive storing images of account data, is it accessible from untrusted networks? (Requirement 1.4.4)
Requirement 2
- Has a configuration standard for the device been created by the entity, and has the device been hardened according to an industry-accepted hardening standard? (Requirement 2.2.1)
- Does the device have vendor default accounts for login, and if so, have they been properly managed? (Requirement 2.2.2)
- Have all communication protocols not specifically needed for the environment been disabled or removed from the configuration? (Requirement 2.2.4)
- What additional security features have been implemented to protect HTTP web-based administration, if used? (Requirement 2.2.5)
- If HTTP is used for web-based administration, how are passwords protected using strong cryptography when logging in? (Requirement 2.2.7)
- If Wi-Fi Direct printing is enabled, is encryption configured and the keys properly managed? (Requirement 2.3.2)
Requirement 3
- If the device has internal storage, such as a hard drive, is the device being managed to keep the stores of this data to a minimum and how is the data storage protected? (Requirements 3.2.1, 3.4.1, 3.5.x, 3.6.x, and 3.7.1)
- If storage of images is being performed, does it include sensitive authentication data (SAD)? (Requirements 3.3.1, 3.3.1.2, and 3.3.2)
Requirement 4
- Is the device accessing email for the purpose of sending scanned documents containing PCI account data to external recipients, or using wireless networks to send scans to internal recipients? (Requirement 4.2.x)
The above examples are not an exhaustive list of questions or topics regarding PCI compliance components. There are certainly others. These, however, illustrate the potential complexities that such systems may bring into the scope of an assessment and the risk these devices might pose.
If your organization has printers that are in scope for PCI, we encourage you to work with a Qualified Security Assessor (QSA) to help limit the effects on your compliance.
How Forvis Mazars Can Help
Don’t take chances with your payment security. See how our PCI compliance services at Forvis Mazars can help safeguard your business and enhance compliance. With Forvis Mazars, you gain PCI-certified professionals who can help strengthen your security posture and maintain PCI compliance. We can help businesses stay ahead of evolving threats with robust protection for cardholder data. If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
- 1“CVE-2025-1268, Required CVE Record Information,” cve.org, March 31, 2025.