PCI DSS Vulnerability Scans & Approved Scanning Vendors

Safeguarding payment data is more critical than ever. About a year ago, the PCI Council released a blog post that explained what an ASV was and why it’s essential. It contained some valuable information, so I wanted to share it.  You can find the original post here. The PCI Security Standards Council (PCI SSC) has provided a comprehensive resource guide on vulnerability scans and Approved Scanning Vendors (ASVs), which is essential reading for any organization involved in payment processing. Here’s a detailed overview of the key information from their guide about vulnerability scans and approved scanning vendors from July 2024.

What is a Vulnerability Scan?

A vulnerability scan is an automated process that identifies security weaknesses and flaws in systems and software. With new vulnerabilities, bugs, and security holes being discovered daily, regular vulnerability scans are crucial for identifying and addressing weaknesses before attackers can exploit them.

Why so important? In 2023, 25% of high-risk vulnerabilities were exploited on the day they were disclosed, and an additional 50% were exploited within 19 days of disclosure. Between 2020 and 2023, the number of disclosed vulnerabilities increased by 44%, emphasizing the importance of regular testing and remediation.

 Why Are Vulnerability Scans Critical?

Regular vulnerability scans empower organizations to promptly identify and address vulnerabilities, reducing the risk of data breaches. This proactive approach is key to staying ahead of potential threats.
Who Needs to Perform ASV Scans?

Organizations may be required to perform ASV scans if asked by a merchant bank or payment brand as part of their PCI DSS compliance efforts. This evidence could be requested through a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ). Ensure you know which SAQ is appropriate for your organization; consult with the requesting entity if you are unsure.

SAQs that include ASV scans:

• SAQ A, A-EP, B-IP, C, and D for merchants
• SAQ D for Service Providers

Notably, PCI DSS v4 added ASV scan requirements to SAQ A to address the increasing number of breaches targeting SAQ A merchant environments. These requirements include two external vulnerability scans by an ASV.

Scope of ASV Scans

• What must be scanned?
  ASV scans apply to all Internet-facing systems unless they are segmented away and can affect the security of the systems in scope for PCI. The goal is to identify and fix vulnerabilities before criminals can exploit them to access payment data.
• Special case for SAQ A merchants:
  ASV scans only apply to e-commerce merchants whose systems either:
  1. Redirect payment transactions to a PCI DSS-compliant Third-Party Service Provider (TPSP), or
  2. Include an embedded payment page/form from a PCI DSS-compliant TPSP.

This minimizes risk by ensuring any link to a TPSP’s payment page is secure.

What is an Approved Scanning Vendor (ASV)?

ASVs are organizations qualified by the PCI SSC to provide external vulnerability scanning services. Under PCI DSS Requirement 11.3.2, organizations must have evidence of passing external vulnerability scans (performed by an ASV) at least once every three months.

Find the PCI SSC’s official list of ASVs on their website.

Responsibility for Scanning

If a PCI DSS-compliant TPSP hosts your merchant website, confirm with your provider who is responsible for ASV scans. Ask for documentation showing:

• The TPSP is PCI DSS compliant for hosting services
• Your website’s IP address/domain is included in their ASV scans

If not, coordinate with your TPSP to ensure your site is scanned at least quarterly. 

Frequency of Scans

While PCI DSS requires scans every three months, scanning more frequently is recommended to identify and address vulnerabilities more quickly.

What Qualifies as an ASV Scan?

Not all scans from an ASV are automatically considered ASV scans for PCI DSS. To meet Requirement 11.3.2, scans must be performed with the ASV’s PCI-approved scan solution.

Understanding “Passing” ASV Scan Results

A passing result means no vulnerabilities are ranked as “medium” or “high”. Always request an Attestation of Scan Compliance with each passing scan.
 
You can take a look at sections 6 and 7 of the ASV Program Guide for more details. 

What’s the Difference Between Vulnerability Scans and Penetration Tests?

• Vulnerability scans are passive and automated, identifying weaknesses without exploiting them.
• Penetration testing is an active, mostly manual process where testers attempt to exploit vulnerabilities to access systems (think: picking the lock vs. checking if the door is open).

If Scans Fail

If you or your TPSP fails an ASV scan:

• Address the vulnerabilities
• Perform rescans until passing
• Coordinate fixes with your TPSP if they fail on your behalf

 Quick Tips for Getting Started

1. Get Advice: Ask your acquiring bank about partnerships with PCI ASVs.
2. Talk to a PCI ASV: Review the PCI SSC website for the list of ASVs.
3. Select an ASV: Reach out to multiple ASVs and choose the best fit.
4. Address Vulnerabilities: Work with your ASV or technical partners to resolve issues.

 Additional Resources

• PCI ASV List
• PCI DSS v4.0 Quick Reference Guide
• PCI DSS v4.0 Resource Hub
• SAQ Instructions and Guidelines
• ASV Program Guide

For more details, refer to the official PCI Security Standards Council resources at pcisecuritystandards.org for the most up-to-date information. 

In summary:

Regular, thorough vulnerability scanning is crucial for ensuring PCI DSS compliance and protecting payment account data. Choosing the right ASV and maintaining a proactive approach to addressing vulnerabilities are crucial steps for every organization handling payment information.