If your organization is seeking PCI certification, you’ll need to conduct PCI compliance scans using a PCI ASV. Officially certified scanning vendors are required for one specific part of the DSS, but advisor organizations offering ASV tools can optimize all elements of implementation.
Is your organization prepared for PCI 4.0 compliance? Schedule a consultation to find out!
Why ASVs are Necessary for PCI Compliance
Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) requires engaging an Approved Scanning Vendor (ASV) for PCI DSS vulnerability scanning. However, one-off scans are far from the only benefit that working with a quality ASV partner offers.
The full scope of PCI ASVs and their relationship to DSS compliance includes:
- What ASVs are, how they’re approved, and how to find an ASV partner
- What particular parts of PCI DSS compliance require you to use an ASV
- How working with an ASV or advisor can help with overall DSS deployment
- How to achieve certification and maintain your PCI DSS compliance long-term
Without an ASV, PCI compliance isn’t possible. But ASVs are more than a bare necessity; as you prepare for PCI DSS compliance, an ASV can optimize every element of your journey.
What is an Approved Scanning Vendor?
The PCI’s Security Standards Council (SSC) governs several compliance frameworks aimed at securing payment infrastructure from several angles. The DSS in particular applies to almost all organizations that process credit card transactions and cardholder data (CHD). ASVs play a critical role in securing CHD by providing vulnerability scans to ensure protections are in place.
Definitionally speaking, ASVs are vendors of security services, typically managed security service providers (MSSPs). There are also ASV tools, which are mechanisms developed and sold as one-off or ongoing packages by ASVs. All ASVs register with the SSC and undergo a rigorous qualification program, which has recently been updated to account for PCI DSS 4.0.
Comprehensive information about the process is available in the SSC’s program guide.
Once a vendor is qualified as an ASV, they are indexed in the searchable PCI ASV list, where compliance seekers can see information about vendors, their locations, and more at a glance.
PCI Compliance Scan Requirements
Complying with the DSS means implementing controls to meet the specifications of its 12 Requirements, each of which breaks down into several sub-requirements. Scanning falls into the province of Requirement 11, which mandates regular testing of systems and networks.
Requirement 11 breaks down into six distinct sub-requirements:
- 11.1 – Disseminating clear processes for testing systems and networks regularly
- 11.2 – Monitoring wireless access points and addressing unauthorized access points
- 11.3 – Identifying, prioritizing, and addressing external and internal vulnerabilities
- 11.4 – Performing and acting upon regular internal and external penetration testing
- 11.5 – Detecting and responding to network intrusions and unexpected file changes
- 11.6 – Detecting and responding to unauthorized changes on payment pages
An ASV can help your organization meet all of these sub-requirements—and many others (see below). However, it is not explicitly required to use one for any except for Requirement 11.3.
Understanding PCI DSS Requirement 11.3.2
Not all PCI scans for Requirement 11 mandate the use of an ASV. Those that do are in 11.3, and even there, only one specific sub-sub-requirement explicitly calls for an ASV. For context, Requirement 11.3 breaks down into the following distinct parts, all involving vulnerability scans:
- 11.3.1 – Performing internal vulnerability scans through qualified independent personnel (not necessarily ASV) to resolve critical vulnerabilities, at least once every three months.
- 220.127.116.11: Prioritize and address all other vulnerabilities and rescan as necessary.
- 18.104.22.168: Document issues with authentication throughout the scanning process.
- 22.214.171.124: Perform independent internal scans after significant changes or events.
- 11.3.2 – Performing external vulnerability scans either through an ASV or using ASV tools, and per ASV Program Guide specifications, at least once every three months.
- 126.96.36.199: Perform independent external scans after significant changes or events.
The specifications within 11.3.1 state multiple times that those particular scans do not need to be conducted by an ASV. However, they do still need to meet certain standards for institutional independence. And working with an ASV is one of the best and easiest ways to ensure that.
Optimizing Your Overall PCI Implementation
As noted above, PCI DSS vulnerability scanning is not the only area where ASVs can provide value. Many ASVs offer broader suites of compliance implementation and governance services.
To begin with, many ASVs can step in as overall security program advisors, suggesting plans for resource and responsibility allotment, awareness and training programs, and other elements of top-down governance that are necessary for long-term compliance. With respect to scanning, this also includes gap and preparatory assessments before any official reporting is needed.
Many MSSPs that provide ASV services also have the capacity to assist in cybersecurity infrastructure implementation. They can help you install the actual controls needed to meet the 12 DSS Requirements—and minimize overlap with other applicable compliance frameworks.
The ideal ASV partner is one who serves as a more comprehensive PCI DSS advisor. Working together, you can plan a strategy for implementing controls to meet DSS and other regulatory needs. And, depending on the context, an ASV might be able to help you get officially certified.
Achieving and Maintaining PCI Compliance
Working with an ASV partner is the only way to satisfy your vulnerability scanning requirements, but these aren’t the only scans or tests necessary for compliance. You’ll also need to perform an annual, system-wide assessment that proves you’ve met all 12 DSS Requirements. Depending on the scope of CHD handled, you may be able to self-assess, but others need to utilize another kind of third-party service provider: a Qualified Security Assessor (QSA), also listed by the SSC.
What kind of documentation you need depends on the PCI stakeholder overseeing your case (i.e., Visa, Mastercard, Discover, etc.) and your annual transaction or CHD-processing volume.
In general, organizations with more annual transactions need the more strenuous Report on Compliance (ROC) form, which always requires working with a QSA. Those with fewer annual transactions may be able to submit a Self-Assessment Questionnaire (SAQ). However, the SAQ may need to be paired with an Attestation of Compliance (AOC), which also requires a QSA.
The protocols also differ slightly between PCI stakeholders. For example, Visa’s PCI Levels are:
- Visa Level 1 – Merchants processing over six million Visa transactions across channels or defined as Level 1 by any other PCI stakeholder must submit ROC and AOC forms.
- Visa Level 2 – Merchants processing between one and six million Visa transactions across channels must submit the SAQ form alongside an AOC form (signed by a QSA).
- Visa Level 3 – Merchants processing between 20,000 and one million Visa e-commerce transactions must submit the SAQ form alongside an AOC form (signed by a QSA).
- Visa Level 4 – Merchants processing fewer than 20,000 Visa e-commerce annual transactions or up to one million overall Visa transactions require just an SAQ.
MasterCard’s PCI Levels are similar, but they drop the AOC requirement for Levels 2, 3, and 4.
If you need a QSA, be aware that many quality ASVs are also QSAs, so working with a single organization might be possible. And, even if you’re eligible to self-assess, an ASV can help.
Streamline Your Compliance Scans Today
Working with a PCI ASV is not optional if your organization is seeking PCI compliance; it’s mandatory. However, it can also be beneficial, especially when working with the best ASVs.
RSI Security is an ASV, QSA, and broader PCI advisor. We’ve helped countless organizations through every part of the PCI compliance process. We believe that discipline now unlocks greater flexibility and freedom later, and we’ll help you rethink your cyberdefense accordingly.
To learn more about our PCI compliance scan services, contact RSI Security today!