The process of understanding the entirety of what Payment Card Industry Data Security Standards (PCI DSS) covers is an extremely daunting task for business decision makers. An increasingly important aspect of Payment Card Industry (PCI) compliance has become maintaining compliance with the Approved Scanning Vendor (ASV) requirements notated within PCI DSS. One of the notable requirements that entities must adhere to are those that cover ASV Scans. These vulnerability scans are quite complex in nature and require many man hours of preparation on the vendor and company side to ensure proper consumer payment card protection in the organization’s cardholder environment.
With more focus being drive on how to patch up vulnerabilities to block the threat of data breach and other malicious network attacks, PCI ASV scans are becoming more important to configure in a way that ensures the safety and security of cardholder data and company compliance with PCI DSS standards. In this article, we will provide a comprehensive overview of the PCI ASV scanning requirements, what PCI scanning requirements and ASV must comply with, and which documents and assessments must be completed for the merchant to declare their compliance with PCI DSS.
As more companies began using the then-untapped market that was the internet to allow customers the convenience of purchasing online, businesses began to flow to the solution. Most companies began to leverage the power of the internet to connect their physical payment processing systems wirelessly with their virtual terminals. As consumers began growing more comfortable using their credit cards to make purchases on and offline, many different company security breaches occurred that caused consumers to feel rightfully fearful for their personal identity. The one item that most of these companies overlooked in their quest to take their business online was the security of their network and payment systems. These gaping holes in their network infrastructure spouted vulnerabilities that would take a small army to manually scan.
As the five largest credit card brands (Visa, MasterCard, Discover, American Express, JCB) all witnessed this increase in consumer data theft over the years, they decided to implement the Payment Card Industry Data Security Standard (PCI DSS). The Data Security Standard was an extremely important step in regulating the security of the credit card payment industry for years to come. The process of managing these compliance standards was transferred to the PCI Security Standards Council (SSC) which was founded by those same five credit card brands as an independent body.
Basically, the PCI SSC (“The Council”) sets the standards and establishes the requirements that sellers must adhere to. These requirements cascade into PCI-compliant applications and self-assessment questionnaires (SAQs) which we will cover later in this article. The responsibility for enforcement of these standards and requirements on sellers and organizations that accept credit cards falls on the shoulders of the payment brands themselves.
The twelve (12) specific requirements of PCI DSS cover six (6) goals and aim to maximize cardholder security in relation to payments and to ensure that merchants are educated on how to better secure their data and processes. These requirements cover the process of building and maintaining a secure network, protecting cardholder data while also consistently monitoring networks and testing for vulnerabilities via internal and external penetration and vulnerability scans. The amount of PCI compliance requirements that an organization must adhere to is based on their annual volume of credit card transactions.
Self-Assessment Questionnaire (SAQ)
The last step for an organization to pass before becoming PCI DSS compliant is to pass a vulnerability scan that is performed by an ASV. Before even getting to this point, smaller organizations must complete the appropriate Self-Assessment Questionnaires (SAQs) which allows them to self-evaluate their compliance with PCI DSS. Larger organizations with greater transaction volumes must turn to an ASV to validate that their organization fits the mold of the appropriate SAQ documentation. Multiple versions of the PCI DSS SAQs exist that allow organizations to meet various scenarios. Below is a table that notates which SAQs require annual vulnerability scans by an ASV:
Annual Vulnerability Scan Needed?
|A||Card-not-present merchants (e-Commerce or mail/telephone order)||No|
|B||Brick and mortar or mail/telephone order merchants||No|
|B-IP||Brick and mortar or mail/telephone order merchants||No|
|C-VT||Brick and mortar or mail/telephone order merchants||Yes|
|C||Brick and mortar or mail/telephone order merchants||Yes|
|P2PE||Brick and mortar or mail/telephone order merchants||No|
|D||Merchants and service providers only||Yes|
SAQ’s exist for the sole purpose of assisting merchants and service providers in validating their PCI DSS compliance. If your organization doesn’t choose the right SAQ, it might cause warning lights to ring for The Council and invalidate your compliance entirely. This could spell trouble for your organization as merchants might not want to utilize your payment processing service due to their perception your company might be exposed to greater risk of payment card data breaches in the future.
What is an Approved Scanning Vendor (ASV)?
Can you believe that a staggering 55% of retail executives surveyed recently admitted that they were not planning to invest a single dime in payment processing cybersecurity solutions in the next year? Well, believe it. These are the types of executives that operate under the “if it ain’t broke, don’t fix it” methodology and due to that mindset are effectively painting a bullseye on their cardholder environment for hackers to hone in on. It is for this reason that most of the vulnerability scanning and penetration testing requirements are implemented in PCI DSS version 3.2. Vulnerability scans are documented in various parts of the PCI DSS requirements with Approved Scanning Vendors (ASV) being responsible for validating them. ASVs are approved by the Council to specifically enforce compliance by validating these vulnerability scans of internet-facing environments of either merchants or service providers.
Organizations seeking to become an ASV, must first adhere to the Approved Scanning Vendors (ASVs) Program Guide and register for the testing process. Completing this registration requires that the organization must provide administrative information and technical details via an attestation of compliance (AOC) that adheres to the Qualification Requirements for Approved Scanning Vendors (ASVs) v2.1. Once the Council deems that the organization’s application is up to their standards, they are sent an invoice for the fees that, when paid, allow the ASV to be given a provisional test date.
Once the prospective ASV has returned the signed test agreement, The Council will provide the the prospective ASV with the appropriate information pertaining to the administration process. Once the organization pays the test agreement necessary fees, The Council will confirm the test date. Before the scanning test, a Council representative will test the prospective ASV’s understanding of scanning scope via a telephone conversation. This telephone conversation is used to simulate a real-world consultation call with a client. The physical test requires that the prospective ASV run its tool(s) against The Council’s test Web perimeter for which they will need to remotely and physically scan the test infrastructure. The prospective ASV must identify all vulnerabilities and misconfigurations and report its findings back to The Council.
Following the completion of the test, a Council representative will review and evaluate the prospective ASV’s test performance and reports to either or approve or deny the application. If the prospective ASV’s application were to be denied, they can re-take the test up to three (3) times; needing to pay added re-testing fees for every subsequent test. Applicants that do not pass, are given feedback from The Council representative that oversaw their test to identify their inadequacies which will give them the necessary oversight to correct prior to re-taking the test again. Once an applicant is approved, their company information is added to a database listing on The Council’s website.
PCI ASV Requirements
Once the Council tests an ASV’s scan solution and ensuring that the ASV successfully meets all requirements are they able to perform PCI data security scanning for another organization. Companies that utilize an ASV scan solution for their customers are required to have their entire organization re-qualified by The Council annually. The date of the re-qualification assessment is based on the ASV scanning company’s original qualification date.
Internet-facing hosts of merchants and service providers are required to submit to an ASV vulnerability scan on a quarterly basis. But these quarters don’t align with the Q1, Q2, Q3, Q4 quarters that most businesses adhere to for strategy and planning activities. No, these quarters are based on a 90-day timeframe. Thus, if the first scan is completed on the 15th of March, then the preceding test needs to be finished by June 13th. This example schedule might not mesh too well with your organization as it falls too close to a “natural” Q2/Q3 transition and might cause more issues. It might be best to begin and end your scans in the middle of a business quarter to ensure there are no conflicts with end of quarter activities.
Submitting your scans to an ASV at least 30 days prior to your scheduled submission due date will ensure that the process is smooth and your scan has less chances of being invalidated. Ensure that you have all the appropriate information available for the ASV if they request it to ensure that you don’t miss a deadline and get hit with having to re-do the scan. PCI DSS highlights the specific qualifications that an ASV must adhere to and the requirements that companies must comply with to pass their quarterly ASV scans. Let’s go over key excerpts from requirements 4.3.1 and 11.2.2 in the below subheadings:
This requirement spells out the qualifications for what constitutes a company as an ASV. ASV’s must have a quality assurance (QA) program documented in its Quality Assurance (QA) manual which they must maintain and adhere to always. This QA manual must include the following items:
- Company name
- List of PCI SSC Programs in which the ASV Company participates
- A resource planning policy and process for PCI DSS Assessments
- Descriptions of all job functions and responsibilities within the ASV Company
- Identification of QA manual process owner
- Approval and sign-off processes for PCI SSC Assessments
- Evidence of annual review by the QA manual process owner
- Coverage of all activities relevant to each PCI SSC Program that the ASV operates
- Documentation that shows that personnel have conducted a QA review of assessment procedures performed in accordance with the ASV Company’s Workpaper Retention Policy
The Council calls for all pertinent security policies and operational procedures to be documented, in use, and known to all affected parties to comply with this requirement.
PCI Requirement 11.2.2 calls for all merchants to run internal and external network vulnerability scans at least quarterly and following changes to their network infrastructure to achieve compliance. If scans are unsuccessful, rescans are required until a passing scan is achieved. All quarterly external scans are required to be performed by an ASV while scans that proceed network changes must be carried out by internal company employees. The ASV’s vulnerability scanning solution must be tested and approved by The Council to ensure that it is of the highest possible grade of effectiveness.
During an organization’s annual PCI compliance review, their Council-appointed assessor will need to examine all quarterly ASV scans carried out during that 12-month period for verification purposes. The assessor will review the results of each quarterly scan and verify that the passing scan met all ASV Program Guide requirements and that it was completed by an ASV. The assessor will also look for instances of documented vulnerabilities in each quarterly scan and find out if the organization took the necessary steps to remediate those vulnerabilities.
It was found that phishing campaigns targeted U.S. small businesses 43% of the time, most likely due to the fact that these businesses are not required to have an ASV perform their annual vulnerability scans. The process for becoming an ASV and the requirements that are needed to be PCI DSS compliant are expansive, but the result is altogether beneficial to any merchant that undertakes the process. On the flip side, the process of implementing quarterly ASV scans in your organization can work wonders for lowering phishing campaign risks in your network. Working with an ASV on a quarterly basis can help your organization become more aware of its vulnerabilities and help to remediate any inadequacies that might lead to a data breach in the future. For more information on our cybersecurity solutions, please contact RSI Security today.