IT security vulnerabilities are a concern for all businesses in Utah, including merchants. And the PCI Security Standards Council requires that companies that accept credit cards undergo regular network vulnerability scans to detect security gaps before hackers do. These scans must be conducted by a PCI-Certified Approved Scanning Vendor.
No matter what type of business you run, if you take credit cards for services rendered or products provided, you need a certified Approved Scanning Vendor. Here’s what you should know about ASVs and how they help businesses like yours achieve PCI compliance.
What Is An Approved Scanning Vendor?
We always let our clients know that we are an Approved Scanning Vendor. What does this mean? An Approved Scanning Vendor (ASV) is a technology service provider that uses data security services and tools to ensure a business is compliant with PCI DSS external scanning requirements.
ASVs conduct external vulnerability scans of organizations’ networks or websites from the outside looking in. In addition to determining PCI compliance, these scans provide insight into any data security changes that should be made.
What Are The Responsibilities Of An ASV Vendor?
We must make sure that all of our scans are performed in accordance with PCI DSS requirement 11.2.2. As well as ensure that our AVS scan solution is maintained in terms of security and integrity for each of our clients.
According to the PCI SSC, we must also ensure that our scanning process adheres to the following standards:
- It doesn’t impact the normal operation of our customers’ IT environments.
- It doesn’t penetrate or intentionally alter customers’ IT environments.
- It scans all IP address ranges, domains, components, etc. provided by the customer to identify active components and services.
- We consult with the scan customer to determine whether components that were found, but weren’t provided by them, should be included in the scope of the scan.
- We determine that the customer’s components have met the scanning requirements.
- We provide documentation in the scan report that demonstrates the compliance or non-compliance of the customer’s components with the external vulnerability scanning requirements.
- We provide the customer the ASV Scan Report Attestation of Scan Compliance cover sheet (an Attestation of Scan Compliance) and the scan report according to the instructions of their acquirer(s) and/or Participating Payment Brand(s).
- We include the customer’s and ASV Company attestations in the scan report in accordance with ASV Program requirements.
- We retain scan reports and related work papers and work product for three (3) years, as required by the ASV Qualification Requirements.
- We provide the scan customer with a way to dispute the findings of scan reports.
- We maintain an internal quality assurance process for our ASV Program-related efforts in accordance with ASV Program requirements.
How Do We Choose The Right ASV?
There are a few things to consider:
Some ASVs have better scanning services than others. This enables them to reduce false positives. It can take time and money to do this, and a good Approved Scanning Vendor will do this.
A good ASV will have an ongoing system that tunes scan engines so they always provide accurate results without bogging down your system with inaccurate results.
The right ASV will fit your needs. When researching ASV companies, it’s important to examine what they provide and if their services meet your security needs. For example, do they offer additional managed security services? They should.
Ask how successful they have been with their scans in the past, and how experienced their technicians are in vulnerability scanning.
New vulnerabilities are common, so you should ask how often they will run vulnerability scans on your IT infrastructure. Quarterly might not be enough.
Ask about the cost. Some ASVs charge for each scan and rescan. Others won’t charge you for rescans.
Look for an ASV that provides more services than just the exterior vulnerability scans. Ask if they provide services that further extend the assurance of your company’s compliance and comprehensive security.
Additionally, find out if the ASV is currently in remediation or ever has been. If they are, this means that they haven’t met all current ASV Qualifications. PCI SSC flags companies in remediation by listing their company name and email in red text on this site. If they are in remediation for too long, they will be removed from the list.
How Does The Scanning Process Work?
There are a number of phases.
- The first is called scoping. You’ll be asked for a list of all of your internet-facing components. You are responsible for defining the scope of your scan. If you don’t include a component in the scan, and data is compromised because of this, you are accountable.
- Once the scope of the scan is determined, you’ll need to configure active protection systems to prevent them from interfering with the ASV scan.
- A discovery process will also confirm that the scope is adequate. If other components are found that should be scanned, then you must attest that these will be included in the scope of the scan.
- If the discovery results match the scope that you provided, the ASV will proceed with the scan. This is an external vulnerability scan that can be performed off-site to determine the security from the outside looking in.
- Once the scan is complete, the ASV will attest that PCI and ASV quality assurance processes were followed as outlined by the ASV Program Guide.
You can receive several different results.
- You can pass the scan, and you’ll be provided a passing scan report. This report must be submitted according to the guidelines of the payment brand that your company uses. You should contact your acquiring bank or each Participating Payment Brand to determine how to submit your scan results.
- If your IT fails the scan, you can dispute it. Disputes may result from false positives, exceptions in the scan report, conclusions of the scan report, or inconclusive ASV scans or ASV scans that couldn’t be completed due to scan interference. The ASV must provide you information about how to file a dispute. The ASV should then validate the dispute remotely or via written evidence.
- Sometimes a failed scan occurs due to a detected vulnerability. In this case, you would then need to resolve the issues leading to the vulnerability and then arrange for a rescan until a passing scan is produced. Any failed scans will be included in your final scan report.
- If the failed scan is a result of interference, you can work with the ASV to achieve a complete scan. If you don’t do this, it will be reported by the ASV as a failed scan. All components in the scope must be scanned in order to receive a passing scan report.
How Does The ASV Ensure PCI Compliance?
The most important thing about ASV vulnerability scans is for you to achieve PCI Compliance.
The PCI SSC requires that all merchant levels complete regular network scans by an ASV. And with the right Approved Scanning Vendor your chance of achieving PCI Compliance will be greatly increased and the risk of suffering from a data breach will be dramatically reduced.
For more information please visit our Media Center.