You have determined that you need vulnerability scanning from an approved scanning vendor (ASV), probably because you need to maintain or establish PCI compliance. Most businesses require at least quarterly scanning. You have done your research and selected a vendor, verified they are approved on the PCI website and are ready to get started. There are several parties involved in this process from the Card Brands to the merchant and the ASV. We will discuss the responsibilities of each.
Before going in depth on the responsibilities of each part of the process, it is worth understanding the basic structure of the Payment Card Industry.
Basics Terminology and Processes
There are 5 major Payment Brands:
- American Express
- JBL International
PCI-SSC – The Payment Card Industry – Security Standards Council is made up of members from these 5 companies. Their job is to develop and maintain the standards that cover the many aspects of PCI including payment devices, applications, infrastructure, and users. Among other things, they publish and maintain the Payment Card Industry – Data Security Standards or PCI-DSS.
PCI-DSS is the set of documents that outline the requirements for securing Card Holder Data (CHD) including the ASV scanning requirements.
The Issuer is the bank or other entity that issued the payment card to the cardholder.
The Acquirer is the bank that is contractually obligated to handle the merchant’s card transactions.
Payment Processing – When a payment card is processed, that payment goes through 3 steps:
- Authorization – The cardholder makes a payment with their card, the merchant requests the charge from the card issuer, through the merchant’s processor and the acquirer.
- Clearing – At the end of the day the processor, the acquirer, and the cardholder’s bank compare transactions for the day and all records are reconciled.
- Settlement – The cardholder’s bank sends payment to the processor who sends payment to the acquirer who pays the merchant. The cardholder’s bank bills the cardholder.
Merchant Level is based on the annual number of transactions by card brand. Your merchant level determines what compliance validation procedures and reporting DSS requirements you will be expected to satisfy. Your merchant level is assigned by the acquiring bank. For instance, if you process between 50,000 and 1,000,000 Mastercard transactions, you would be a Level 3 merchant. However, the acquirers have the right to assign any merchant level they want, particularly if they perceive a high threat to your network. Often, merchants that have had their network compromised (in other words, they got hacked) will be immediately moved to Level 1 merchant which has the highest data security requirements. Level 1 merchants are required to bring in an independent security assessor to perform their annual assessment and complete the full 194-page checklist known as the Report on Compliance or RoC.
The Report on Compliance (RoC) is a comprehensive checklist that covers all aspects of your adherence to the PCI-DSS. All Level 1 merchants and some 2 and 3 merchants must have one completed annually by a Qualified Security Assessor (QSA). When complete it will contain detailed information about your network including mapping and protocols, your data flow including CHD and other data, personnel interviews, and your adherence or failure to adhere to the following 12 requirements:
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Stored Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes (This is where the ASV requirement comes from)
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
The Self-Assessment Questionnaire or SAQ is the alternative to the RoC. There are many different types of SAQ depending on the type of card processing you do. For example, a business running an ecommerce website would have a different SAQ than a business that does “card present” transactions only. The type of SAQ you are required to complete should be assigned by the merchants acquiring the bank. Most SAQs also have that annual ASV scan requirement.
The Approved Scanning Vendor or ASV is a company that has undergone the rigorous process of approval by the PCI-SSC to perform vulnerability assessment scans or “VA scans” for PCI-DSS purposes.
Each entity involved has certain responsibilities regarding ASV scans.
The card brands provide the Payment Brand Network which all payment cards require to function. They also provide the members of the PCI-SSC. Visa and Mastercard never issue cards directly. They allow banks and other organizations (issuers) to issue cards with their logos on them. American Express, Discover, and JCB International will issue cards and may also act as the acquirer. In addition, they are responsible for:
- Development and enforcement of their own compliance program
- Fines and penalties for non-compliance
- Forensic investigations in case of data breaches
PCI SSC maintains the PCI DSS and related PCI standards, including the PA-DSS. In relation to the ASV program, PCI SSC:
- Approves and trains ASVs to perform PCI DSS external vulnerability scans in accordance with PCI Data Security Standard and the PCI DSS Security Scanning Vendor Testing and Approval Processes, and qualifies, trains, and lists Approved Scanning Vendors on the Website
- Maintains and updates PCI DSS and related documentation according to a standards lifecycle management process
- Maintains a quality assurance program for ASVs
- Processes payment card transactions for merchants
- Assigns merchant level 1, 2, 3, or 4 to their members
- Ensures merchant compliance with the Data Security Standards (PCI-DSS)
Approved Scan Vendor
An ASV is an organization with a set of security services and tools (“ASV scan solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2 .2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.
ASVs are responsible for the following:
- Performing external vulnerability scans in accordance with PCI DSS compliance Requirement 11.2 .2, and in accordance with the ASV Program Guide and other supplemental guidance published by the PCI SSC
- Maintaining security and integrity of systems and tools used to perform scans
- Making reasonable efforts to ensure scans:
- Do not impact the normal operation of the scan customer environment
- Do not penetrate or intentionally alter the customer environment
- Scanning all IP ranges and domains provided by scan customer to identify active IP addresses and services
- Consulting with the scan customer to determine if IP addresses found, but not provided by the scan customer, should be included
- Providing a determination as to whether the scan customer’s components have met the scanning requirement
- Providing adequate documentation within the scan report to demonstrate the compliance or non -compliance of the scan customer’s components with the scanning requirements
- Submitting the ASV Scan Report Attestation of Scan Compliance cover sheet (called hereafter Attestation of Scan Compliance) and the scan report in accordance with the acquirer or payment brand instructions
- Including the required scan customer and ASV company attestations in the scan report as required by the ASV Program Guide
- Retaining scan reports and related work products for 2 years, as required by the Validation Requirements for Approved Scanning Vendors
- Providing the scan customer with a means for disputing findings in the scan report
- Maintaining an internal quality assurance process for ASV efforts in accordance with the ASV Program Guide and other supplemental guidance published by the PCI SSC
Scan customers are responsible for the following:
- Maintaining compliance with the PCI DSS at all times, which includes properly maintaining the security of their Internet-facing systems
- Selecting an ASV from the list of Approved Scanning Vendors from the Council’s website to conduct quarterly external vulnerability scanning according to PCI DSS Requirement 11.2.2 and the ASV Program Guide
- Perform due diligence in the ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s level of trust to perform scanning services to the degree deemed appropriate by the scan customer, monitor Internet-facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained
- Defining the scope of external vulnerability scanning, which includes:
- Providing the IP addresses and/or domain names of all Internet-facing systems to the ASV so the ASV can conduct a full scan
- Implementing proper network segmentation for any excluded external-facing IP Addresses
- Ensuring that devices do not interfere with the ASV scan, including:
- Configuring active protection systems so they do not interfere with the ASV’s scan, as required by the ASV Program Guide.
- Coordinating with the ASV if the scan customer has load balancers in use. See the section entitled Account for Load Balancers.
- Coordinating with the scan customer’s Internet service provider (ISP) and/or hosting providers to allow ASV scans.
- Attesting to proper scoping and network segmentation (if IP addresses are excluded from scan scope) within the ASV solution
- Providing sufficient documentation to the ASV to aid the ASV’s investigation and resolution of disputed findings, such as suspected false positives, and providing related attestation within an ASV solution
- Reviewing the scan report and correcting any noted vulnerabilities that result in a non -compliant scan
- Arranging with ASV to re-scan any non-compliant systems to verify that all high severity and medium severity vulnerabilities have been resolved, to obtain a passing quarterly scan
- Submitting the completed ASV scan report to the scan customer’s acquirer or payment brands, as directed by the payment brands
- Providing feedback on ASV performance in accordance with the ASV Feedback Form
Putting it all together
Clearly, there is a lot more to ASV than paying a vendor to perform a service. There is a tremendous amount of communication involved. Network engineers and administrators need to be familiar with their networks and the PCI rules. ASV companies need to be prepared to walk the merchant through this process to ensure a proper scan and to ease the potential remediation in the event there are vulnerabilities that prevent a passing scan. In addition, false positives can be a problem that causes delay. Good communication between a merchant and their ASV can minimize these delays.
The main points to remember are:
- Ensure you are working with an approved scanning vendor listed on the PCI website
- The ASV scan is for your data’s protection; respect the process
- Have accurate and updated network maps available for your ASV
- Don’t try to hide portions of your network
- Arrange your first ASV well in advance. Later scans will be easier since parameters won’t change much between scans
- Communicate early and often with your ASV
While the first time or two can be a little painful, it gets easier and as a bonus, you gain confidence in your network’s security. For any further questions about cybersecurity solutions, contact the experts at RSI Security. Stay Secure!