In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), merchants and service providers are required to have external vulnerability scans performed on their systems every quarter. These scans must be performed by an Approved Scanning Vendor (ASV). But what is an Approved Scanning Vendor? How does your business select the correct one? In this article, we answer these questions to assist your business to the most out of imperative PCI DSS scans.
First, let’s take a step back and look at the PCI DSS requirements for vulnerability scanning. PCI DSS Requirement 11.2 requires that merchants and service providers perform both internal and external vulnerability scans on a quarterly basis. Scans must also be performed when there are changes made to the network.
When it comes to internal scans, the choice is to either using a qualified internal staff member or hiring an external third party. If your business chooses to use a staff member, this person cannot also be responsible for securing the systems that are being tested. Your business could engage an internal staff member to perform the scans that are required after changes are made to the network.
Merchants and service providers have less flexibility when it comes to quarterly external vulnerability scans. These must be performed by an Approved Scanning Vendor (ASV). An ASV is a third-party solution provider that is approved by the Payment Card Industry Security Standards Council (PCI SCC) to perform vulnerability scans of Internet-facing environments for the purposes of validating compliance to DSS requirements.
To become an ASV, security solution providers must undergo a three-part qualification process. The company itself must be qualified, as well as the employees who will be responsible for performing scans, and the company’s scanning solution must be security tested. ASVs must be re-approved by the PCI Security Standards Council every year. The PCI SCC is careful to note that it does not endorse any particular ASV.
Here are some factors to consider as you choose an ASV
Qualification as an ASV. Every time you engage with a provider, check the PCI SCC website to make sure that the company is still a qualified ASV. If the company has failed to become re-approved as an ASV, the scanning services you pay for will not meet PCI DSS’s requirement.
Ideally, the ASV you choose will be a partner that you can turn to quarter after quarter for your PCI scans, as well as for general security concerns. After all, the spirit of PCI DSS is not to create another to-do list for you, but to improve your overall security posture. By doing so, you protect both your business and your customers. Contact us to discuss how we can assist you with your PCI needs today.