Making the choice for an approved scanning vendor (ASV) is an important consideration for organizations looking to achieve or maintain compliance with the Payment Card Industry (PCI) requirements. The requirements set forth in the PCI Data Security Standards (PCI DSS) are intended to provide end-to-end security for cardholder data. A central component of the PCI DSS is the requirement for entities covered by the PCI DSS to have regular external scans of their networks and systems. As such, PCI approved scanning vendors occupy a central role in ensuring that organizations covered by PCI DSS achieve and maintain compliance advisory services with these requirements over time.
Understanding the importance of choosing the right ASV requires first understanding what PCI DSS is, what the requirements of PCI DSS are, and how a scanning vendor fits into the PCI DSS requirements. Choosing an ASV is more important than you might think. While many information security companies offer external and internal scanning services, not all of these companies are considered an ASV. Choosing the right ASV can bring enhanced security to your organization’s data and systems, while choosing the wrong scanning vendor can result in non-compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standards are a set of requirements put forth by the payment card industry. These requirements were created to standardize security practices across industries and organizations. The primary goal of PCI DSS standards is to protect cardholder data from unwarranted or unwanted access. Read more in our related blog to learn about the differences between PCI DSS and EI3PA requirements.
The PCI DSS standards were created and maintained by the PCI Security Standards Council, which was formed in 2006 by the five major payment card brands used around the world. The five founding council members are Visa, Mastercard, American Express, Discover, and JCB International.
Who Must Comply With PCI DSS?
PCI DSS requirements apply to a wide range of organizations that span industries. All entities that deal with, transmit, or store cardholder data must comply with PCI DSS standards. Since the five members of the PCI Security Standards Council, often referred to simply as the “Council”, encompass the most popular payment card brands in the world, PCI DSS standards apply to nearly any organization that handles, stores, or transmits cardholder data across their networks or systems.
What are PCI DSS Requirements?
There are a number of requirements set forth in the PCI DSS that businesses and support entities must comply with. Understanding these requirements is beneficial when assessing the need to choose approved scanning vendors. Here, we’ll provide a brief overview of PCI DSS requirements. A more in-depth analysis of PCI DSS standards can be found here. There are six objectives of the PCI DSS, with 12 standards that each in-scope entity must comply with.
Protect Cardholder Data
The primary objective of PCI DSS requirements are to protect cardholder data. A component of this is to limit how and when cardholder data is stored, and to comprehensively assess the security of how cardholder data is interacted with.
Build and Maintain a Secure Network
PCI DSS requires in-scope entities to build a secure network and maintain the security of that network over time. This includes implementing a firewall and changing passwords from default settings.
Maintain a Vulnerability Management Program
In-scope entities must develop and maintain a vulnerability management program under PCI DSS requirements. This includes the requirement to use and update anti-virus programs and to continually maintain strong network and application security.
Implement Strong Access Control Measures
The PCI DSS sets forth requirements for in-scope entities to limit access to sensitive cardholder data. This includes limiting physical access to data, ensuring that each individual with access to data can be uniquely identified, and limiting access to cardholder data from related businesses and outside entities.
Regularly Monitor and Test Networks
In-scope entities must ensure that they monitor network traffic and access to cardholder data. A central component of this objective is the requirement to regularly conduct external scans of an organization’s network to ensure compliance is maintained.
Maintain an Information Security Policy
In-scope entities must develop a comprehensive information security policy that allows them to continually assess, remediate, and reassess their network and cyber asset security. This includes developing clear policies and procedures that ensure data security, developing a security awareness training program for all employees, and screening new hires to minimize the chances of an internal threat to cardholder data.
PCI DSS Requirement 11 and You
The PCI DSS requirement 11 outlines scanning standards that must be met in order to achieve or maintain compliance. These include requirements for regularly scanning wireless networks, conducting internal and external penetration testing of networks, remediating vulnerabilities found on networks, and deploying systems to detect intrusion or changes. Requirement 11.2 deals with conducting regular external and internal testing on networks and systems, and is where the use of an Approved Scanning Vendor is mandated.
The PCI DSS requirement 11.2.2 specifically outlines the requirement for in-scope entities to have an external vulnerability scan done at least once a quarter. This external vulnerability scan must be conducted by an Approved Scanning Vendor. This sometimes leads to confusion for in-scope entities due to the fact that requirement 11.2.1 requires quarterly internal scans to be conducted, however these scans can be done by the organization themselves. If an employee conducts the internal scan, they must meet certain qualifications. The quarterly external vulnerability scan, on the other hand, can only be conducted by a third-party security provider that has been designated an Approved Scanning Vendor by the PCI Security Standards Council.
Approved Scanning Vendors
Due to the fact that organizations considered in-scope for PCI DSS must use an ASV to conduct external quarterly scans, it is worthwhile to understand exactly what an ASV is. An “Approved Scanning Vendor” is an outside organization that has a suite of tools and capabilities, also referred to as a scan solution, to scan an organization’s network and systems in accordance with PCI DSS standards. In order for a security provider to be designated an ASV, the scan solution that the security provider utilizes must be validated by an ASV Validation Lab in order to ensure that they meet the stringent requirements for PCI DSS. An ASV Validation Lab will utilize the security company’s scan solution in a testing environment to verify it’s ability to detect, identify, and report vulnerabilities.
The scanning process highlights the need to select the right ASV for your company. During the scanning process the client and ASV must work closely together, making it important to choose an ASV that is responsive and communicative. Both the ASV and client have a number of responsibilities throughout the scanning process, as set forth by PCI SSC guidance. The responsibilities of the ASV include conducting the scan in accordance with PCI DSS 11.2.2 requirements without penetrating or altering the client’s systems, as well as without disrupting the client’s normal operations.
The scanning process is relatively straightforward. The client provides a list of all devices, IP addresses, and components that are considered in-scope for the scan to the ASV. The ASV then scans all of these components and domains for vulnerabilities, ensuring that no systems are altered in the process. If the scan turns up components outside of those provided by the client, the ASV will work with the client to determine whether those components should be considered in-scope. At the conclusion of the scan, the ASV will compile the results of the scan into a report and make a conclusion regarding their findings.
The client does have some responsibilities during the quarterly external scan required by PCI DSS. These include providing a list of domains to the ASV, and ensuring that their systems do not interfere with the scan itself. According to guidance from the PCI SSC, the client should be mindful of security concerns when choosing an ASV to conduct a scan. Organizations should include checks of the qualifications of any ASV they work with into their selection process. This includes determining whether the ASV has the levels of experience and skills necessary to meet the client’s requirements. It is also essential to choose an ASV that you trust. PCI guidance encourages organizations that have quarterly external scanning done to monitor their networks and systems during the test to validate that the ASV is conducting the test according to the agreed scope.
Should the scan turn up any vulnerabilities, the scan client will need to correct those vulnerabilities and then work with the ASV to perform a re-scan. This again highlights the importance of working with an ASV that is responsive throughout the process. Clear communication during the scanning process can help both the ASV and client avoid false positives, ensure the scan runs smoothly, and more quickly complete the scanning process.
One last thing to keep in mind when assessing approved scanning vendors is whether they are in remediation or not. An ASV can be placed in remediation status for a number of reasons, including if they have received poor feedback, if their scanning solution has failed the annual ASV Validation Lab test, if they failed to pay their annual registration fees, or if they failed to meet continuing training and education requirements. If an ASV has been designated as in remediation, their name and contact information will appear in red on the PCI ASV search portal. Once an ASV has been placed in remediation status, they have 90 days to address the issue or they are removed from the list of approved scanning vendors. Because the relationship between client and ASV is one that is ongoing, it is important to be mindful of the remediation status of a potential ASV. While remediation status could be the result of something as benign as a late registration payment, it is more often indicative of a failure to meet the standards set forth by the PCI SSC. For more detailed information about remediation status for ASV’s, see section 5.3 of the Qualifications for Approved Scanning Vendors.
Planning for the Future
PCI DSS standards aren’t going anywhere anytime soon. The reality is that over time, the security needs of organizations are going to continue to undergo significant shifts as the threats facing them change. Protecting cardholder data will continue to be a primary concern for organizations that store, transmit, or process payment card transactions. PCI DSS standards for quarterly scanning reinforce the need to choose an ASV that understands your security needs, and will be able to adapt to growth and change in those security needs over time. ASV’s that have also been designated a Qualified Security Assessor (QSA) are intimately aware of the security needs necessary to maintain PCI DSS compliance. Read our blog about what a QSA is, and how an organization gains QSA designation to better understand.
Not only must an ASV be able to grow with your company, but you should also seek out the most qualified ASV you can find. Just as the threats facing your organization are dynamic, changing, and growing, so too must an ASV’s detection tools adapt over time. Although the scanning solutions of all ASV’s are tested and approved by the ASV Validation Lab, some are more effective than others. Choosing a well qualified ASV is essential to ensure that any system’s security vulnerabilities are identified through a vulnerability assessment. Since an ASV can be placed in remediation status for a failure to pass the annual ASV Validation Lab recertification, in order to ensure that your scan is comprehensive and up-to-date it is best to avoid ASV’s that are in remediation status, and instead use those that have certification.
Choosing the right Approved Scanning Vendor for your company does require some work on your part. Ultimately, your due diligence during the selection phase for the best cybersecurity solutions provider will ensure that you choose an ASV that can grow with your security needs, understands your security concerns, and can continue to service and work with you for years to come.