To demonstrate compliance with the PCI DSS, Merchants and Service Providers are required to conduct periodic PCI DSS vulnerability scan, in accordance with PCI DSS Requirement 11.2. Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV), perform rescans as needed, until passing scans are achieved. Scans must be performed at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Four quarterly passing scans must be achieved to be compliant in order to maintain PCI compliance and multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Such a close reliance on an external vendor explains why selecting the best ASV should be a priority for your organization.
What Is a PCI-Compliance Approved Scanning Vendor?
An approved scanning vendor (ASV) is a third-party company that is specialized in scanning the External Footprints, meaning IPs and URLs. Scanning by approved scanning vendors serves the purpose of certifying the technical requirements of PCI compliance which are designed to protect the confidentiality, integrity, and availability of data on the network.
When an ASV performs a scan, it analyzes all of the components, domains, and IP addresses within the scope of the assessment. It looks for signs of security vulnerabilities and points where the network can be breached. Upon completion, the ASV provides its customer with a final report of the scanning results and recommendations for improving security based on its findings.
If vulnerabilities are identified during the scan, the company will need to put security measures in place in order to correct them. Then, it will work together with the ASV to rescan those trouble areas and confirm that they have been properly addressed. High or Medium level severity vulnerabilities must be remediated.
PCI Approved Scanning Vendor List
Security providers become designated ASVs through a validation process and their scanning solutions are vetted by a thorough testing process. Scanning solutions are tested by an independent laboratory in a controlled environment to ensure that they can properly detect, identify, and report vulnerabilities. To be certified they must meet the strict PCI DSS requirements.
The PCI Security Standards Council has an up to date list of all approved ASVs. You can see which organizations are included here.
Factors to Consider When Choosing an Approved Scanning Vendor
Successfully carrying out the scanning process requires your team to work closely with the approved scanning vendor.
Before deciding which ASV to trust, your organization should look closely into their security experience and professional history. This includes verifying the approved scanning vendor company certification and other qualifications. More specifically, ask each ASV being considered about their experience working with companies of the same size and working in the same industry as yours.
Make sure the ASV that you choose to partner with is in good standing with the PCI regulatory board. This means that its scanning solution has passed the required annual ASV Validation Lab testing, the company has not been placed in remediation status, and continues to maintain the ongoing education and training standards.
If an ASV is currently in remediation, it will be highlighted among those listed on the PCI SCC website. This can indicate a number of problems, including failure to meet the PCI regulations or pay registration fees. The company will have 90 days to resolve the problem with their certification status before being removed from the list of approved vendors.
A reputable ASV will encourage personnel from their client company to be involved in verifying the scanning process. Your team should be actively monitoring the networks and systems throughout the testing duration to ensure that testing spans the outlined scope and to check the results. This will help them understand where vulnerabilities are located and how they should be addressed, as well as learning how to detect and mitigate problems in the future. And a reliable vendor will understand this.
As a second level of assurance, the ASV agents themselves should manually verify vulnerabilities. This is a dependable way to ensure accuracy of the scanning results.
Up-to-Date Agents and Equipment
The field of IT security is constantly changing and evolving; every year there are more vulnerabilities reported than the last. Scanning agents and their tools need to stay one step ahead of the threats out there. This requires research about the threat landscape and continual training with advanced technology that can accurately identify the latest vulnerabilities.
One sign to look for are engines that can run during regular business activities without slowing down the network. Modern scanning engines can be run at night if your company prefers, but also during regular business hours. The scanning solutions should also have a continual tuning system to decrease false positives.
Because scanning is required quarterly, your organization should be able to set a testing schedule that works well for your operations. The ASV should also be available to provide re-scanning support after significant changes have been introduced to the network and while your team works to remediate a vulnerability.
Your Partner for PCI Compliance
Contact AWA for more information about our vulnerability scanning services for companies of all sizes. Our external assessors are skilled at performing testing procedures accurately without disrupting your daily business operations. Call our office or complete the contact form below.