Naturally, the first question in regards to ASV scanning is, what does ASV stand for? ASV stands for Approved Scanning Vendor. If you are a business whose work involves debit or credit cards, it’s crucial and a PCI requirement for you. Involves means more than just merchants who must be submitted to ASV scanning. Anyone from acquirers (banks), issuers, processors and even service providers must undergo ASV scanning. That’s because all of these entities must PCI-DSS compliant; we’ll get to that in a second.
First, in plain English, ASV scanning refers to approved companies that administer external security scans for any business that accepts credit or debit cards. If credit cards are involved in your business, in almost any way, you must be pass rigorous testing in order to continue accepting them.
Since it’s 2018 and many people pay with plastic as opposed to cash, the vast majority of vendors need to know what ASV scanning is and how it works. In this article, we will discuss all aspects of ASV scanning, including its origins, best practices and penalties for non-compliance. However, to understand ASV scanning, you first need to understand where it originated.
What is PCI, PCI-DSS and PCI SSC?
It all starts with the PCI, or the Payment Card Industry. The PCI is made up of the five major credit cards: American Express, Visa, MasterCard, Discover Financial Services and JCB International. Together these massive companies formed not only the PCI but the PCI Security Standard Council (PCI-SSC) and the PCI Data Security Standard (PCI DSS) which help in keeping data secure for cardholders.
Essentially, the biggest credit card companies formed a council to oversee rules, regulations and best practices of credit cards. They also created the sets of standards for vendors to follow in order to accept credit cards. If private vendors or any company that accepts debit or credit don’t follow the security standards set by the PCI, there are a multitude of ways the vendors can be severely sanctioned by the PCI.
Assess your PCI compliance
How Does ASV Scanning Apply to the PCI Data Security Standard?
First and foremost, the Payment Card Industry Data Security Standard (PCI-DSS) has a very long list of requirements that many business entities must meet before they can legally accept debit and credit cards. Meeting such lofty requirements may seem like a giant pain in the butt, but it’s for good reason.
Today, cybersecurity is at a premium with giant companies like Sears, Macy’s Saks Fifth Avenue, among many others, all having major security breaches within the past two years. More and more thieves are switching to digital larceny, which is why the PCI-DSS is so essential. These standards and requirements are not made to frustrate business owners, but rather, protect them and consumer alike.
Before we get to how ASV scanning applies to the security standard, let’s review the requirements set forth by the PCI-DSS and to whom they specifically apply.
What are Merchant Levels and how do they Apply to me?
Yes, the PCI-DSS can be difficult and complicated. However, the PCI-SSC has made it slightly more manageable by breaking down requirements by merchant level. Merchant levels are broken down by the amount of debit or credit card transactions a vendor accepts per year. The more transactions, the more security requirements a vendor will have.
It should also be noted that if a vendor has a security breach, that vendor will likely be automatically moved to level 1, the highest security level, to avoid a repeat. Also, banks, issuers of the credit cards, also have their own individual criteria that can change your merchant level. Here are the merchant levels and their abbreviated requirements:
- Merchant Level 4 (lowest): Less than 20,000 online transactions annually or under 1 million transactions per year. This is the lowest security level available. Vendors must complete an SAQ or self-assessment questionnaire, an attestation of PCI compliance form and submit to quarterly ASV scans.
- Merchant Level 3: Between 20,000 and 1 million transactions annually. Vendors must complete an SAQ or self-assessment questionnaire, an attestation of compliance form and submit to quarterly ASV scans.
- Merchant Level 2: Between 1 and 6 million transactions annually. Vendors must complete an SAQ or self-assessment questionnaire, an attestation of compliance form and submit to quarterly ASV scans.
- Merchant Level 1: More than 6 million transactions annually. Vendors must complete an SAQ or self-assessment questionnaire, an attestation of compliance form and submit to quarterly ASV scans. They must also complete an annual report on compliance (RoC) completed by a Qualified Security Assessor (QSA)
Merchant levels four through 2 may seem like they have the same requirements. However, the depth of each SAQ or attestation of compliance grows with each level.
What is ASV Scanning?
So, how does ASV scanning relate to PCI-DSS compliance? ASV scanning is just one of a number of the requirements that are required to meet PCI-DSS compliance. All of the requirements of PCI-DSS are checks and balances designed to allow vendors and consumers to safely use their debit and credit card without fear of theft. Having your identity stolen is an awful experience that can affect your credit score, finances and more. That’s why large credit card companies have created such stringent requirements.
ASV scans, literally, are external vulnerability scans done by an approved scanning vendor (ASV). The ASV scans are devised to find any weaknesses or holes in your system that hackers may attempt to exploit. ASVs are companies that the PCI council has given the seal of approval to yay or nay the security vulnerabilities of any private merchants credit or debit card system.
What is the PCI ASV scanning requirement?
The ASV scanning process has six layers that required entities must undergo to reach PCI-DSS compliance. The process is as follows:
- Scoping: This is the part of the process that you, the merchant, must do on your own. It is defined by the PCI council as such, “Vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component that may provide access to the CDE.”
For those who don’t speak IT, internet facing systems mean any webpage that is accessible from the public internet. Basically, you must scan any part of your system that can be accessed from the internet for vulnerabilities. That includes all IP addresses, domains for web or mail servers, hidden URLs, and public facing hosts.
- Scanning: The scan comes from whichever ASV you have chosen to do it. That scan will undoubtedly come with potential risks and vulnerabilities you have. Addressing those vulnerabilities is the next step.
- Scan Reporting: From that scan, you will receive three parts: attestation of scan compliance, ASV scan report summary and ASV scan report details. Essentially, you will find out if you pass or failed and what you need to do next. If you passed, congratulations you’re done! If you have issues that need to be addressed, which is very likely, you can either ask your ASV scanner for help or address the issues on your own.
- Scan Dispute: Chances are very likely that you’ll have some problems relating to your scan that must be addressed. You may argue with your ASV scanner as to why these issues aren’t issues or work with them to solve them. Either way, you must address the issues put forth by the ASV scan.
- Rescanning: Once you have resolved the vulnerabilities found in the first scan, you may resubmit for approval.
- Final Report: This acts as your seal of approval, proving that you have passed your required quarterly scan.
How often is ASV Scanning Required?
ASV scanning is required once every 90 days. That is technically quarterly, but remember, attempting to complete your ASV scanning on day 90 of your window isn’t something we would recommend. Also, any changes you make to your system should be checked long before you reach the 90-day mark. Obviously, it would make sense to familiarize yourself with the process since it is something you’ll often be doing.
Make ASV Scanning and Documentation Someone’s Job:
A reason many companies run into issues with ASV scanning is not putting sufficient resources aside to address it. Your company must maintain all documents related to the process. That means your Attestation of Scan Compliance documents and scanning details for the ASV certification process are all on you. Scanning, attestation support and fixing false positives are on your ASV. If you don’t feel you are getting the support you need from your ASV, shop around. There are many companies offering that service.
No Procrastination:
Just like the college term paper, ASV scanning is not something you want to wait until the last minute to work on. Since it is due every 90 days, your window to fix issues is minimal. It’s also a good idea to submit your scans 30 days before they are due. That’s because it is almost a guarantee that there will be some issues that need working through. Breathing room is never a bad thing if you fail your scan either.
Inevitably your ASV will request more information. Don’t get frustrated. That’s very normal, almost a guarantee. By submitting your scans early, that will give you time to fix any problems. It also saves you from working under the gun.
ASV Scanning Best Practices:
- Assign more than one person for best scanning practices. ASV scanning is too important and the consequences too significant to leave all these responsibilities to one person.
- Scan, scan and more scanning. Most ASV’s will allow you to scan as often as you’d like. Monthly or, better yet, weekly scans are a great idea. Continually monitoring your vulnerabilities will help you find any issues and solve them quickly, long before your next scan is due.
- Make reviewing scans a part of the weekly or bi-monthly meeting. Checks on top of checks for something so crucial is never a waste of time.
- Keep all documentation of your previous scans, attestations, summaries and any documentation relating to your ASV scans in any way. ASV scanning is a lot like taxes; the more information you have, the more you can prove and the better off you’ll be.
- Don’t cut corners. Your security should be of utmost importance, as security breaches can affect, not only, your bottom line but also the confidence customers have in your company. It’s also far too important to treat as a task to be knocked out and forgot about.
Consequences for Non-compliance:
After reading all of that, you may be thinking, “I really don’t want to deal with ASV Scanning.” Unfortunately, the costs of non-PCI compliance are far worse than the headache of ASV scanning. Here are the consequences if you don’t believe us.
- Fines for non-compliance can range from $5,000 to $100,000 monthly. Yes, you read that right, monthly. The penalties depend on the number of transactions, amount of time spent in non-compliance and your merchant level.
- Even if you are compliant, you can still face painful ramifications if you have suffered a security breach and put consumer information at risk. Fines range from $50-$90 per card that has been endangered. You could lose your relationship with your bank and obviously lose the trust of your customers.
- You could face litigation. In 2007 TJX was forced to pay $40.9 million due to a data breach of over 100 million cards. The list of companies that had to pay fines on top of the damage done by data beaches is longer than you think. It’s also headlined by large companies like Yahoo, Equifax and eBay.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.