PCI ASV Program
This article is meant to call out some of the items some companies or people might not understand about the ASV program. Most of the content is directly from the program guide that can be found on the PCI Councils website. This is in no way a full description of the program guide or a replacement. This is only meant to call out certain items.
Roles and Responsibilities
Approved Scanning Vendors
An ASV is an organization with an ASV scan solution (i.e., a set of security services and tools) used to validate adherence to the external scanning requirements of PCI DSS Requirement 11.2.2. The ASV’s ASV scan solution must be tested by an ASV Validation Lab and approved by PCI SSC before that ASV is added to the list of Approved Scanning Vendors.
ASVs are responsible for the following:
- Performing external vulnerability scans in accordance with PCI DSS Requirement 11.2.2, this document and other supplemental guidance published by PCI SSC.
- Maintaining the security and integrity of systems and tools used to perform such scans.
- Ensuring that such scans:
- Do not impact the normal operation of the scan customer environment.
- Do not penetrate or intentionally alter the scan customer environment.
- Scanning all IP address ranges, domains, components, etc. provided by the scan customer to identify active components and services.
- Consulting with the scan customer to determine whether components found, but not provided by the scan customer, should be included in the scope of the scan.
- Providing a determination as to whether the scan customer’s components have met the scanning requirements.
- Providing adequate documentation within the scan report to demonstrate the compliance or non-compliance of the scan customer’s components with the scanning requirements.
- Submitting (to the scan customer) the ASV Scan Report Attestation of Scan Compliance cover sheet (an “Attestation of Scan Compliance”) and the scan report in accordance with the instructions of the scan customer’s acquirer(s) and/or Participating Payment Brand(s).
- Including required scan customer and ASV Company attestations in the scan report in accordance with this document and applicable ASV Program requirements.
- Retaining scan reports and related work papers and work products for three (3) years, as required by the ASV Qualification Requirements.
- Providing the scan customer with a means for disputing findings of scan reports.
- Maintaining an internal quality assurance process for its ASV Program-related efforts in accordance with this document and applicable ASV Program requirements.
Scan Customers
Scan customers are responsible for the following:
- Maintaining compliance with PCI DSS at all times, which includes properly maintaining the security of their Internet-facing systems.
- Selecting an ASV from the list of Approved Scanning Vendors from the Website to conduct quarterly external vulnerability scanning in accordance with PCI DSS Requirement 11.2.2 and this document using an ASV scan solution.
- Performing due diligence in its ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s qualification, capability, experience, and level of trust in performing scanning services required by PCI DSS.
- To the degree deemed appropriate by the scan customer, monitoring Internet-facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained.
- Defining the scope of external vulnerability scanning, which includes:
- Providing the IP addresses and/or domain names of all Internet-facing systems to the ASV so the ASV can properly conduct a full scan.
- Implementing proper network segmentation for any external-facing components excluded from the scope.
See “ASV Scan Scope” for more information.
- Ensuring that devices do not interfere with the ASV scan, including:
- Configuring active protection systems so they do not interfere with the ASV’s scan, as required by this document. See Section 5.6, “ASV Scan Interference.”
- Coordinating with the ASV if the scan customer has load balancers in use.
- Coordinating with the scan customer’s Internet service provider (ISP) and/or hosting providers to allow ASV scans.
- Attesting to proper scoping and network segmentation (if IP addresses or other components are excluded from scan scope) within the ASV scan solution.
- Providing sufficient documentation to the ASV to fully enable the ASV’s investigation and resolution of disputed findings, such as suspected false positives, and providing related attestation.
- Providing sufficient documentation to the ASV to fully enable the ASV’s evaluation of any compensating controls implemented or maintained by the scan customer. See Section 7.8, “Addressing Vulnerabilities with Compensating Controls.”
- Reviewing the scan report and correcting any noted vulnerabilities that result in a non-compliant scan.
- Arranging with the ASV to re-scan any non-compliant systems to verify that all “High” and “Medium” severity vulnerabilities have been resolved, to obtain a passing quarterly scan. See Table 2 of Section 6, “Vulnerability Severity Levels Based on the NVD and CVSS.”
- Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
Can a Merchant or Service Provider Perform its own External Vulnerability Scanning?
The short answer is No. Merchants and service providers must use only ASVs to perform the quarterly external vulnerability scans required by PCI DSS Requirement 11.2.2, and the ASV scan solution must be managed by the ASV. Some ASV scan solutions may, while still under the control and management of the ASV, be started remotely by a scan customer (for example, via an ASV’s web portal and/or ASV’s scan solution) to allow a scan customer to select the best times to scan their cardholder data environment and define which of the customer’s components are to be scanned. However, only authorized ASV Employees are permitted to configure any settings (for example, modify or disable any vulnerability checks, assign severity levels, alter scan parameters, etc.), or modify the output of the scan. Additionally, the ASV scan solution must not provide the ability for anyone other than an authorized ASV Employee to alter or edit any reports or revise any results.
Scan Process Overview
To demonstrate compliance with PCI DSS, merchants and service providers may be required by applicable Participating Payment Brands to conduct periodic PCI DSS vulnerability scans, in accordance with PCI DSS Requirement 11.2.
PCI DSS external vulnerability scans are conducted over the Internet by an ASV, as a remote service that requires scanning from a source external to the scan customer’s network and does not require onsite presence to execute. PCI DSS external vulnerability scans are an indispensable tool to be used in conjunction with a vulnerability management program. Vulnerability scans help identify vulnerabilities and misconfigurations of websites, applications, and other information technology infrastructures with Internet-facing IP addresses.
Vulnerability scan results provide valuable information that supports efficient patch management and other security measures that help improve protection against Internet attacks.
PCI DSS external vulnerability scans may apply to any merchant or service provider with external/ Internet-facing components. Even if an entity does not offer Internet-based transactions, other services may make systems Internet accessible. Basic functions such as email and user Internet access will result in the Internet accessibility of a company’s network. Such seemingly insignificant paths to and from the Internet can provide unprotected pathways into scan customer systems and potentially expose cardholder data if not properly controlled.
Vulnerability scanning companies interested in providing vulnerability scanning services for ASV Program purposes must comply with the requirements set forth in this document as well as the ASV Qualification Requirements and related ASV Program requirements and must successfully complete the PCI SSC Security Scanning Vendor Testing and Approval Process.
Note: To be considered compliant with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2, the scan customer infrastructure must be tested and shown to be compliant, in accordance with this document and applicable ASV Program requirements. Compliance with this external vulnerability scanning requirement only represents compliance with PCI DSS Requirement 11.2.2, and does not represent or indicate compliance with any other PCI DSS requirement.
Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify that non-remediated vulnerabilities are in the process of being addressed.
ASV Scan Scope
For the purpose of ASV scanning, PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component that may provide access to the CDE.
In addition to providing the ASV with all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into system components for the entire in-scope infrastructure including, but not limited to:
- Domains for web servers
- Domains for mail servers
- Domains used in name-based virtual hosting
- Web server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
- Any other public-facing hosts, virtual hosts, domains or domain aliases
The scan customer must define and attest to its scan scope prior to the ASV finalizing the scan report. The scan customer is ultimately responsible for defining the appropriate scope of the external vulnerability scan and must provide all Internet-facing components, IP addresses and/or ranges to the ASV. If an account data compromise occurs via an externally facing system component not included in the scan scope, the scan customer is responsible.
Note: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following:
- Systems that provide security services (for example, authentication servers) facilitate segmentation (for example, internal firewalls) or may impact the security of (for example, name-resolution or web-redirection servers) the CDE.
- Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
- Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
- Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
- Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
- Any other component or device located within or connected to the CDE.
Discover more from Chad M. Barr
Subscribe to get the latest posts sent to your email.