External security vulnerabilities can happen at any merchant level. The PCI Security Standards Council requires companies at all merchant levels to have regular network scans in order to detect possible vulnerabilities before hackers do. These scans are conducted by a PCI certified Approved Scanning Vendor. The following sections will describe what an ASV is and how they work to help companies achieve PCI compliance.
What is an Approved Scanning Vendor?
An Approved Scanning Vendor, often known simply as an ASV, is an organization that uses a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements. ASVs perform an external vulnerability scan of an organization’s network or website from the outside looking inward. In addition to determining if it is PCI compliant, these scans from service providers can provide insight into any data security changes that need to be made.
ASV Company Qualifications
In order for a company to be approved by the PCI SSC to perform scans and check security standards, they must first become a legal entity and fulfill all requirements to conduct business. Next, they have to go through a registration process with the PCI SSC. The process consists of reviewing the ASVs program guide, register for the testing, and provide administrative information and technical details by submitting an attestation of compliance. The application is reviewed by the Council and either accepted or denied for testing. The prospective ASV is granted a test date once payment is received by the Council. All program fees can be found here.
The next step is test preparation and the test itself. Preparation includes contact with the PCI SSC about the test structure and a Council representative will, via telephone, test the prospective ASV’s ability to ascertain the scope of scanning by simulating a client engagement. The actual ASV scanning test will pit the perspective vendors tools against the Councils test web perimeter. The results of that scan (including any vulnerabilities and misconfigurations discovered) are submitted to the Council. Further evaluation of this scan is conducted as well as another simulated client engagement phone call through the scanning services.
Finally, the Council will conclude its assessment and either accept or deny the vendor based on the results of the test. If accepted, the vendor is added to the list of approved vendors on the PCI SSC website. All companies on this list go through retesting on an annual basis in order to maintain their ASV status. If a company is denied they can reapply for another crack at the ASV scan. Three attempts can be made, after that a company may be subject to a waiting period before being able to test again. Keep in mind each attempt comes with a testing fee.
First and foremost their responsibility is to make sure all scans are performed in accordance with PCI DSS requirement 11.2.2. Secondly they are to ensure that their AVS scan solution (umbrella for all systems and tools used to perform scans) is maintained in terms of security and integrity for their merchants. According to the PCI SSC they must also ensure that their scanning process adheres to the following:
- Do not impact the normal operation of the scan customer environment.
- Do not penetrate or intentionally alter the scan customer environment.
- Scanning all IP address ranges, domains, components, etc. provided by the scan customer to identify active components and services.
- Consulting with the scan customer to determine whether components found, but not provided by the scan customer, should be included in the scope of the scan.
- Providing a determination as to whether the scan customers components have met the scanning requirements.
- Providing adequate documentation within the scan report to demonstrate the compliance or non-compliance of the scan customers components with the external vulnerability scanning requirements.
- Submitting (to the scan customer) the ASV Scan Report Attestation of Scan Compliance cover sheet (an Attestation of Scan Compliance) and the scan report in accordance with the instructions of the scan customers acquirer(s) and/or Participating Payment Brand(s).
- Including required scan customer and ASV Company attestations in the scan report in accordance with this document and applicable ASV Program requirements.
- Retaining scan reports and related work papers and work product for three (3) years, as required by the ASV Qualification Requirements.
- Providing the scan customer with a means for disputing findings of scan reports.
- Maintaining an internal quality assurance process for its ASV Program-related efforts in accordance with this document and applicable ASV Program requirements.
Choosing the Right ASV
There are a few things to consider when choosing the right ASV to perform scans for your company. Some ASVs have better scanning services than others, in some cases that means that some are better than others at reducing false positives that can appear. It can take time and money to weed out the false positives from a scan. A good approved scanning vendor has an ongoing system for tuning scan engines to produce accurate results without bogging down your system with inaccurate results.
The right ASV for merchants will fit their needs. When researching ASV companies, it is important to examine what each service provider can offer and whether or not those services are adequate for your security needs, such as whether they offer additional managed security services or not. It can be helpful to investigate their history and how successful they have been with their scans in the past. It can also be helpful to know about the experience of their staff. Having experience behind a vulnerability scan is important to getting the best recommendations about your unique and individual network environments.
New vulnerabilities are common and so it is up to each company to decide if they want to perform scans more than just the recommended quarterly intervals. Some ASVs will charge for each scan and rescan, however there are companies that will rescan at no cost. It is possible to find an ASV that provides more services than just the exterior vulnerability scans. Some will offer more rounded services that extend further to ensure accurate compliance and comprehensive security.
Finally, it is essential to know if an ASV is currently in remediation. If they are in remediation it means that the company has not met all of the current ASV Qualification Requirements. PCI SSC will flag a company in remediation by listing their company name and email in red text. They will be listed along with all other ASV companies, but only for a certain amount of time. If they remain in remediation for too long, they will be removed from the list. PCI SSC recommends contacting a company in remediation if you need more information about their status. During the process of hiring a new ASV it would be beneficial to ask a company if they have ever been in remediation, which can help with your decision.
What can a company expect when going through an external vulnerability scan? The first main phase of the scan is scoping. An ASV will ask the scan customer to first provide them with a list of all internet-facing components. Scan customers are ultimately responsible for defining the scan scope, even if they employ a third party for a consultation. If an account data compromise occurs via a component not included in the scan, the scan customer is accountable. Once the scope is determined, a scan customer would configure active protection systems (systems that block, filter, drop, or modify network packets in response to scan traffic that is allowed through the firewall) to prevent interface with the ASV scan.
A discovery process is performed by the ASV company to confirm the scope provided by the customer. If web servers without domains or components not provided by the scan customer are found, then the customer has to either attest that these findings are out of scope due to network segmentation or repeat the first phase. If the discovery results match the scope given by the customer then the ASV can proceed with the scan. Once again, these scans are external vulnerability scans that are performed off sight and determine the security of a company from the outside looking in. Once the scan is complete, the ASV will attest that PCI and ASV quality assurance processes were followed as outlined by the ASV Program Guide.
An analysis of the scan can result in several different results. There can be a passing scan, which can be submitted by the customer in a passing scan report. Scan customers are only allowed to submit passing reports. These reports need to be submitted according to the guidelines of the payment brand that the company falls under. Scan customers should contact their acquiring bank or each Participating Payment Brand to determine to whom results should be submitted.
It is also entirely possible to fail a vulnerability scan. A failing scan can bring about one of three outcomes. After a failing scan occurs, the scan customer disputes the results of the scan. A dispute can come about for several reasons that include, but are not limited to: false positives, exceptions in the scan report, conclusions of the scan report, inconclusive ASV scans or ASV scans that cannot be completed due to scan interference, and others. The ASV must have written procedure and the scan customer must be clearly informed on how to report the dispute to the ASV. Disputes are to be handled between these two parties and are not to be sent to the PCI SSC. The scan customer submits all aspects of the dispute in written form to the ASV. The ASV will then most likely try to validate the dispute remotely, but if not must examine the written evidence. Disputes are left within the final scan report and scan customers are not permitted to edit that report.
There have also been cases where a failed scan occurs as a result of a detected vulnerability. In this case, the customer would need to resolve the issues leading to the vulnerability and rescans would occur until a passing scan is achieved. All failed scans are included in the final scan report.
Finally, it is possible that a failed scan is the result of scan interference. In this instance, the customer may work with the ASV to achieve a complete scan. If an inconclusive scan is left unresolved by the customer, it is reported as a failed scan by the ASV. The procedure for working with an ASV to resolve this type of failed scan is again outlined in the ASV Program Guide. All components in the company’s scope must be scanned in order for a passing scan to be reported.
ASV and PCI Compliance
The scanning process can look tedious, but at the end of the day, the most important thing is for your company to have PCI compliance. Working with an ASV company is different than working with a QSA. Depending on the size of your business you may feel comfortable opting out of using a QSA and conduct a self-assessment. External vulnerability scans don’t have that option available. The PCI SSC requires that all merchant levels complete regular network scans by an ASV. However, if you go through and choose the right ASV for your needs, your risk of having an external breach will be reduced.