Cyber Security

How To Choose A PCI Approved Scanning Vendor

Lucy Khayat
May 28, 2019

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), merchants and service providers are required to have external vulnerability scans performed on their systems every quarter. These scans must be performed by an Approved Scanning Vendor (ASV). But what is an Approved Scanning Vendor?  How does your business select the correct one? In this article, we answer these questions to assist your business to the most out of imperative PCI DSS scans.

First, let’s take a step back and look at the PCI DSS requirements for vulnerability scanning. PCI DSS Requirement 11.2 requires that merchants and service providers perform both internal and external vulnerability scans on a quarterly basis. Scans must also be performed when there are changes made to the network.

When it comes to internal scans, the choice is to either using a qualified internal staff member or hiring an external third party. If your business chooses to use a staff member, this person cannot also be responsible for securing the systems that are being tested. Your business could engage an internal staff member to perform the scans that are required after changes are made to the network.

Merchants and service providers have less flexibility when it comes to quarterly external vulnerability scans. These must be performed by an Approved Scanning Vendor (ASV). An ASV is a third-party solution provider that is approved by the Payment Card Industry Security Standards Council (PCI SCC) to perform vulnerability scans of Internet-facing environments for the purposes of validating compliance to DSS requirements.

To become an ASV, security solution providers must undergo a three-part qualification process. The company itself must be qualified, as well as the employees who will be responsible for performing scans, and the company’s scanning solution must be security tested. ASVs must be re-approved by the PCI Security Standards Council every year. The PCI SCC is careful to note that it does not endorse any particular ASV.

Here are some factors to consider as you choose an ASV

Qualification as an ASV. Every time you engage with a provider, check the PCI SCC website to make sure that the company is still a qualified ASV. If the company has failed to become re-approved as an ASV, the scanning services you pay for will not meet PCI DSS’s requirement.

  • Cost. The fees associated with an ASV’s scanning services are negotiated between the ASV and the customer. While it makes sense to compare the prices of a couple of different ASVs, don’t forget to consider the value-added services that are included in those prices. For example, does the provider offer dedicated, 24/7 customer support? Are rescans included at no additional cost? Can you rely on the ASV for additional PCI-related services?
  • Experience and accolades. Large companies routinely rely on vulnerability scanning and application security testing outside of any regulatory requirements to ensure that their systems are protected against hackers. Look for an ASV that has a long-standing history delivering these services and is well recognized by analyst firms and other third parties for their work in the area.
  • A well-tuned scan engine. The cost of a vulnerability scan can quickly escalate if your team has to spend valuable time resolving false positives. Ask your prospective ASV about false-positive rates and the processes they have in place to keep scan engines adequately tuned to minimize false positives.
  • Customer-scheduled scans. While the ASV must control and manage the scan solution, the PCI SCC allows customers to remotely start scans (for example, via a web portal), schedule scans and identify the IP addresses to be scanned. These self-service capabilities help you to reduce the impact on business operations. Scheduling quarterly scans also makes it easier to ensure that you remain compliant.
  • A robust scan engine. Quarterly vulnerability scans is about much more than ticking a checkbox on a regulatory requirement. The scan should provide assurance that you are running a secure environment and that vulnerabilities are being remediated. Choose an ASV with robust scan engines that are continually updated to detect the latest vulnerabilities.

Ideally, the ASV you choose will be a partner that you can turn to quarter after quarter for your PCI scans, as well as for general security concerns. After all, the spirit of PCI DSS is not to create another to-do list for you, but to improve your overall security posture. By doing so, you protect both your business and your customers. Contact us to discuss how we can assist you with your PCI needs today.