There are four critical factors that should guide your search for a PCI ASV:
- Understanding why you should seek guidance and work with an ASV
- Knowing where to look for an ASV—namely, the PCI ASV list
- Identifying what qualities make an ASV the right fit for you
- Considering other elements of compliance and governance
Factor #1: Why You Need an ASV
The Security Standards Council (SSC) of the Payment Card Industry (PCI) governs all elements of PCI compliance across its various frameworks. That includes vetting assessors and service providers who organizations can rely on to validate their compliance. Enter Approved Scanning Vendors (ASVs), who facilitate compliance with the Data Security Standard (DSS) framework.
The DSS is the most comprehensive and widely applicable regulation overseen by the SSC. It applies to most organizations that process card payments or come into contact with cardholder data (CHD). And one of the core pillars in the DSS, Requirement 11, calls for regular testing of security systems and networks. Some of that testing, specifically Requirement 11.3.2 (previously Requirement 11.2.2), explicitly calls for external vulnerability scans to be performed by an ASV.
In short: you need an ASV to meet your PCI vulnerability scan requirements.
While certain organizations may qualify to verify their overall PCI DSS compliance through self-assessments, this requirement always requires working with a third party. And, although other parts of Requirement 11 specify that certain other scans do not need to be conducted by an ASV, working with one is one of the best ways to ensure organizational independence.
Factor #2: Where to Look for an ASV
This is the simplest factor, but that simplicity belies what makes finding an ASV so easy. The SSC maintains the PCI ASV list, where all active and select prospective ASVs can be found. The searchable index of ASVs also includes contact information, locations that are served by the vendor, the name of their specific tool(s), and their certificate number proving certification.
Part of why the SSC makes finding an ASV so easy is that the technical sophistication required to become an ASV is anything but. The SSC’s document library provides the overall ASV Program Guide, updated for DSS 4.0, Qualification Requirements, and Requalification Policy (active as of August 1, 2023). The SSC is hyper-vigilant in its vetting and (re)qualification processes so that organizations know they can trust ASVs—and the ASV list—without question.
However, the PCI ASV list is hardly the only place you can look for your vendor. Many managed security service providers (MSSPs) include ASV and other scanning options in their offerings, and you may be able to find a bundled package deal that covers more ground more efficiently.
Factor #3: What to Look for in an ASV
Not all PCI ASV scans are created equal. When browsing the ASV list or other repository, you should look for a vendor that best meets your specific needs. The top criteria to consider are:
- Capacity – This is about a vendor’s bandwidth and technical wherewithal to scan all of your systems comprehensively and efficiently—including both duration and cost factors.
- Availability – Closely related to capacity, this has to do with bandwidth in terms of connection and synchronous communication, whether in person or over voice/video.
- Another consideration here is what kind of solution you seek. The PCI ASV list includes both providers and individual ASV tools or toolkits. Your organization may require a hands-on service approach, or a product might work just as well.
- Flexibility – This is a measure of a vendor organization’s ability to accommodate any needs specific to your existing systems. Certain MSSPs prefer a more rigid, uniform structure with little wiggle room for customization, but others are happy to cater to you.
Critically, what these criteria look like will differ in practice depending on the organization. If your organization has a relatively complex tech stack featuring niche or bespoke software, flexibility becomes an element of capacity. Likewise, if your in-scope systems and personnel include various time zones, your availability needs might be more complex than a small local firm’s.
Factor #4: Other Compliance Considerations
One of the biggest elements of the flexibility you should be looking for when shopping for an ASV is their ability and willingness to consider your broader compliance context. In many cases, organizations subject to the PCI DSS are also subject to other regulations that have overlapping controls and requirements. A quality ASV should be sensitive to this—and help you streamline.
For example, within the PCI SSC’s governance, the Software Security Framework (SSF) applies to organizations that develop and sell payment software. The SSF is heavily influenced by and shares many core concepts with the DSS, but it requires distinct assessment for compliance.
And, outside of the PCI, there are regulations that apply based on the location of your business and/or individuals whose data it processes. If you collect information on European residents, you are likely subject to the General Data Protection Regulation (GDPR). If you come into contact with Californians’ data, the California Consumer Privacy Act (CCPA) may apply.
The best ASVs will work with you to develop vulnerability and other scanning processes that cover as much regulatory ground as possible, optimizing your overall compliance journey.
Find an Approved Scanning Vendor Today
RSI Security is a PCI-listed ASV that has helped countless organizations achieve and maintain DSS compliance. We are committed to service and working closely with your internal teams to strategize and implement a scanning program that works for your specific needs and means. We know the right way is the only way to keep CHD secure and ensure long-term compliance.
To learn more about ASV scans and PCI DSS compliance, contact RSI Security today!