New vulnerabilities, security holes and bugs are being discovered daily. It is vital to have Internet-facing systems scanned regularly for vulnerabilities to help identify new threats so they can be addressed as soon as possible. Gill Woodcock, VP Global Head of Programs, answers common questions about the Approved Scanning Vendor program.
What is an Approved Scanning Vendor (ASV)?
Gill Woodcock: An ASV is a company approved by PCI SSC to perform external vulnerability scans of internet-facing environments of merchants and others. All ASV companies are listed on the Approved Scanning Vendors list on PCI SSC’s website. Each ASV company has a vulnerability “scan solution” which is a set of security services, tools, methods, techniques and employee skills, rigorously tested and validated by PCI SSC. Although ASVs can use commercially available third-party scan tools, they also use their own tools and methods such as custom scripts and manual analysis to help identify and report vulnerabilities.
How do ASVs help protect payment card data?
Gill Woodcock: Vulnerability scans detect and report potential vulnerabilities in an organization’s external-facing cardholder data environment that could be found and exploited by malicious individuals. By completing regular vulnerability scans, merchants and others can identify potential weaknesses in external-facing systems that need patching or reconfiguring as part of their vulnerability management program. PCI DSS Requirement 11.2.2 requires entities to have external vulnerability scans performed by an ASV at least quarterly and after significant changes to internet-facing system that are in-scope as part of their cardholder data environment.
What is involved in becoming an ASV?
Gill Woodcock: Candidates must meet demanding requirements in order to qualify as an ASV, both at the company level as well the employee level. They must undergo rigorous testing of their scan solution with a validation laboratory approved by PCI SSC, and at least two employees of the candidate company must complete PCI SSC’s ASV training course and pass the applicable exam. Details can be found in the ASV Qualification Requirements and the ASV Program Guide, each available in our Document Library. There is an annual requalification process too, the scan solution is re-tested each year and employees must attend annual training and pass a requalification exam.
What advice would you give to companies thinking of becoming an ASV?
Gill Woodcock: Vulnerability scanning companies, scan tool vendors and other aspiring ASVs should prepare by reviewing the ASV Qualification Requirements and ASV Program Guide in their entirety (each available in our Document Library) and understand the roles, responsibilities and requirements involved in providing ASV services. The qualification process is rigorous, objective and practical; a thorough understanding of the requirements is essential prior to attempting the validation laboratory scan test.
