Naturally, the first question in regards to ASV scanning is, what does ASV stand for? ASV stands for Approved Scanning Vendor. If you are a business whose work involves debit or credit cards, it’s crucial and a PCI requirement for you. Involves means more than just merchants who must be submitted to ASV scanning. Anyone from acquirers (banks), issuers, processors and even service providers must undergo ASV scanning. That’s because all of these entities must PCI-DSS compliant; we’ll get to that in a second.
Your organization’s network perimeter needs to be scanned for vulnerabilities frequently to ensure that hackers aren’t given a free run to attack your web applications whenever they please. Not to scare you or anything, but ransomware damage costs exceeded $5 billion last year, which represents a 15 time increase over 2015 costs. Complying with Payment Card Industry Data Security Standards (PCI DSS) will keep your company from this tumultuous future of data breaches, but only if you stay on top of conducting your external vulnerability scans. The trouble with complying with PCI DSS is that most merchants that process, store or transmit cardholder data are unsure about how to go about the process and when to run the appropriate tests and scans.
Making the choice for an approved scanning vendor (ASV) is an important consideration for organizations looking to achieve or maintain compliance with the Payment Card Industry (PCI) requirements. The requirements set forth in the PCI Data Security Standards (PCI DSS) are intended to provide end-to-end security for cardholder data. A central component of the PCI DSS is the requirement for entities covered by the PCI DSS to have regular external scans of their networks and systems. As such, PCI approved scanning vendors occupy a central role in ensuring that organizations covered by PCI DSS achieve and maintain compliance advisory services with these requirements over time.
The process of understanding the entirety of what Payment Card Industry Data Security Standards (PCI DSS) covers is an extremely daunting task for business decision makers. An increasingly important aspect of Payment Card Industry (PCI) compliance has become maintaining compliance with the Approved Scanning Vendor (ASV) requirements notated within PCI DSS. One of the notable requirements that entities must adhere to are those that cover ASV Scans. These vulnerability scans are quite complex in nature and require many man hours of preparation on the vendor and company side to ensure proper consumer payment card protection in the organization’s cardholder environment.
You have determined that you need vulnerability scanning from an approved scanning vendor (ASV), probably because you need to maintain or establish PCI compliance. Most businesses require at least quarterly scanning. You have done your research and selected a vendor, verified they are approved on the PCI website and are ready to get started. There are several parties involved in this process from the Card Brands to the merchant and the ASV. We will discuss the responsibilities of each.