PCI ASVs are PCI SSC approved and certified companies that help implement specific PCI DSS requirements. PCI ASV performs ASV scans required for the company’s compliance with PCI DSS, verify and provide you with a valid report for evidence.
PCI ASVs are the authority to issue you certified scanning report, so you’ll almost always need to work with one.
PCI ASV performs quarterly external vulnerability scans that must be performed by the Approved Scanning Vendor (ASV) to meet the PCI DSS 11.2.2 requirement.
Vulnerabilities in Internet-facing networks can occur at any enterprise level. PCI DSS requires businesses to conduct routine ASV network scans at all merchants to identify potential flaws in external networks before hackers.
ASV scans must be performed by a PCI Approved Scanning Vendor (ASV).
This article explains what PCI ASV is and how it works to help businesses comply with PCI DSS.
What is a PCI Approved Scanning Vendor (ASV)?
Approved Scanning Vendors, commonly known as ASV, is a PCI SSC notified body that offers a range of data security services to evaluate how an organization’s PCI DSS meets specific scanning requirements.
PCI ASV scan for an external vulnerability from the outside of an organization’s network or website. Such scanning services from ASV Service providers can provide insight into any data security changes that need to be made and decide whether they comply with the organization’s PCI DSS requirement.
What Are PCI ASV Scanning Processes?
The stages of the PCI ASV external vulnerability scanning are as follows:
- Scoping: The scanning scope is carried out by the customer to cover all components of the internet-facing system that forms a part of the cardholder data environment.
- Scan: ASV company performs vulnerability scanning using its scanning solution. Multiple sections of the Cardholder Data Environment (CDE) can be scanned separately during scans.
- Reporting/remediation: After the scanning is completed, the interim reports’ results are presented to the customer, and the customer makes the necessary remediations.
- Dispute Resolution: The client and ASV collaborate to document and resolve controversial screening results.
- Rescan (if required): Rescans will continue until a successful scan is created that resolves conflicts and exceptions.
- Final Reporting: If there are no scans’ vulnerabilities, a report approved by PCI ASV is generated. The report is sent and delivered to the customer securely.
Scoping is the first and primary step of ASV scanning. First, ASV will ask the merchant to provide a list of all components connected to the internet. Ultimately, the merchant is responsible for determining the scanning scope, even if they appoint a third party to consult.
If the account data is exposed due to a component not included in the scan, the merchant is responsible for the scanning and coverage. Once scoped, active security systems must be configured so that they do not interfere with ASV scanning.
The PCI ASV organization performs a discovery process to verify the customer provided scope. When the scan client identifies out-of-scope components, it verifies that such results are out of scope due to network segmentation or repeats the first step.
When the discovery results match the scope provided by the customer, ASV performs the scan. Upon completing the scan, it should verify that ASV, PCI, and ASV’s quality assurance processes are implemented as described in the ASV Program Guide.
A scan analysis will produce many different findings. For the scan report to be approved by ASV, it must be a “passing” report, and there should not be any security vulnerability findings in the report.
Customers can only send “passing” reports to the bank or payment brand. Approved ASV reports must be submitted by the payment brand requirements involving the business. Scanning customers can contact their acquiring bank or the Participating Payment Brands to determine who should receive the results.
Also, an ASV vulnerability scan can fail. When an unsuccessful scan takes place, the merchant can object to the scanning findings.
In addition to the findings, a disagreement may arise, and findings may be challenged for many reasons, such as false positives, scanning abnormalities, or ASV scans that cannot be performed due to interruptions during scanning.
PCI ASV has a documented policy that it must comply with. The scanning client should be notified explicitly whether the dispute will be sent to PCI ASV.
Disputes must be handled by both parties and not forwarded to PCI SSC. Both details of the dispute are sent to ASV in writing by the scanning client. Most likely, ASV will attempt to verify the dispute remotely and request written evidence to review.
Disputes are included in the last scan report, and customers are not allowed to change the report.
There may also be situations where a detected vulnerability causes the scan to fail. In this scenario, the company would need to fix the problems causing the failure and rescan until a successful scan is completed. The actual scan summary includes both failed scans.
Also, a failed scan may be the result of an attempt at the scan. In this scenario, the scan client can work with ASV to perform the scan smoothly. If the customer leaves a scan with no results being resolved, the scan will be reported by ASV as a failed scan.
Tips for Choosing the Right PCI ASV
Choosing the best PCI ASV to perform the ASV scans required for your business will make your process more comfortable, but there are a few things to remember about ASV selection.
Even if you don’t notice, the scanning tools of ASVs are different from each other. A PCI ASV with the right scanning tools can better evaluate false positives that may arise than others, and results may have fewer false positives.
It will take time and energy to separate false positives from scanning. A successful Approved Scanning Vendor must properly adjust their scan engines to provide correct results and false results without clogging the system.
The right PCI ASV for merchants is the one that best suits their needs. Therefore, when researching ASV companies, it is necessary to analyze what each service company can provide and whether such offers provide additional managed security services and whether they are sufficient.
It may help research the history of PCI ASVs and how well their testing has done in the past. Learning about the experiences of the staff will also be helpful. To get the best advice and service for specific network environments, it is essential to have the people behind the vulnerability scanning with sufficient expertise.
New vulnerabilities emerge every day, so it’s up to you to decide whether you want to scan for more than the recommended quarterly intervals alone. You may pay a specific fee for each scan and rescan according to your agreement with PCI ASV, but there are also PCI ASV companies that can rescan at no cost.
As a result, you must understand whether an ASV is currently undergoing remediation. The remediation process means that the ASV Company does not meet current ASV qualification requirements.
PCI SSC tags the remediation company with their business name and email in red. Along with all other ASV companies, these companies are listed only for a certain period. When you need additional details about their status, PCI SSC recommends contacting a company for remediation.
It is helpful to ask a company if they have made any remediations to the stage of choosing a new ASV, and it will help clarify your decision.
You can review the current PCI ASV list from the link below and choose the company that suits you:
How Often Should You Perform PCI ASV scans?
PCI ASV Vulnerability scans are required at least quarterly and after significant network changes such as new system component installations, network topology changes, firewall rule changes, or product upgrades.
An organization that is PCI DSS compliant must perform an ASV scan every three months, four times a year. If your ASV scan results in a “Failed,” the corresponding fix ASV scan must be performed in the same quarter of the “failed” ASV scan until the “successful” scan is completed.
Which Systems Should Be Under PCI ASV Scanning?
PCI DSS requires vulnerability scanning of any internet-facing system components that are externally accessible and owned or used by the scanning customer that are part of the cardholder’s data environment and any system component that provides a path to the data environment of the cardholder.
Any IP that stores, processes, or transmits data and IP addresses linked to that IP are automatically included in the scan. If the “in scope” IP address can be accessed from another address, that address is also covered.
As an organization, you are not entirely responsible for the accuracy of coverage; ASVs must verify your coverage. To assess your scope, they may need to perform high-level checks, and your organization can then review all identified IP addresses.
Your ASV will need a list of all your IP addresses. Although the scope of Cardholder Data can be smaller, it is essential to note all IP addresses to ensure they have visibility into all potential coverage.
The PCI ASV scan should cover all physical or logical segmentation of the external infrastructure unless used in the network.
PCI ASV and PCI DSS Compliance
The scanning process can seem tedious, but the most important thing is to have PCI compliance for your business at the end of the day. Working with an ASV company is different from working with a QSA.
Depending on your business’s size, you can assess your PCI compliance with self-assessment (SAQ) forms without working with a QSA. However, this option is not available for external vulnerability scans. PCI SSC requires working with an ASV to complete regular network scans at all merchant compliance levels.
For detailed information, you can view the PCI SSC PCI ASV Program Guide.