In this blog, we'll explore the PCI DSS requirements for Approved Scanning Vendor (ASV) scans, the scope of these scans, the importance of whitelisting, and how to find the right ASV vendor for your organization.
Complying with the Payment Card Industry Data Security Standard (PCI DSS) is essential for any organization that stores, processes, or transmits payment card data. One of the key requirements for maintaining PCI DSS compliance is conducting regular Approved Scanning Vendor (ASV) scans. In this blog, we'll explore the PCI DSS requirements for ASV scans, the scope of these scans, the importance of whitelisting, and how to find the right ASV vendor for your organization.
PCI DSS Requirement for Approved Scanning Vendor (ASV) Scans:
PCI DSS Requirement 11.3.2 of PCI DSS V4.0 mandates that organizations must perform quarterly external vulnerability scans via an ASV. These scans are essential for identifying potential vulnerabilities in your organization's external-facing systems and networks, which could be exploited by malicious actors to gain unauthorized access to payment card data.
External vulnerability scans must be performed as follows:
- At least once every three months.
- By a PCI SSC Approved Scanning Vendor (ASV).
- Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
- Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
As a best practice, scans are required at least once every three months, however, more frequent scans are recommended depending on the network complexity, frequency of change, and types of devices, software, and operating systems used. ASV scans must be also conducted after any significant changes to your external-facing systems. The goal is to ensure that your systems and networks remain secure and that vulnerabilities are promptly identified and addressed to maintain a robust security posture.
Your QSA may require additional documentation to verify non-remediated vulnerabilities are in the process of being resolved.
Scope of ASV Scans:
The scope of an ASV scan includes all external-facing IP addresses and domains that are part of your organization's cardholder data environment (CDE). This means that any system or network component that stores, processes, or transmits cardholder data, or is connected to systems that do so, must be included in the ASV scan.
When determining the scope of your ASV scan, it's essential to identify all of your organization's external-facing systems accurately. This includes web servers, email servers, firewalls, routers, and any other devices that could potentially expose your CDE to external threats.
The Importance of Whitelisting for ASV Scanning:
Whitelisting is the process of allowing a specific IP address or domain to bypass certain security measures, such as firewall rules or intrusion prevention systems. In the context of ASV scans, whitelisting is crucial because it ensures that your ASV vendor can access your external-facing systems without being blocked by your security measures.
To ensure accurate and thorough vulnerability scans, it's essential to whitelist your ASV vendor's scanning IP addresses. This allows the ASV to perform a comprehensive assessment of your systems without being hindered by your security infrastructure. Failing to whitelist your ASV vendor could result in an incomplete scan, leaving potential vulnerabilities undetected.
How to Find ASV Vendors:
The PCI Security Standards Council maintains a list of Approved Scanning Vendors that have been validated to perform external vulnerability scanning services for PCI DSS compliance. To find the right ASV vendor for your organization, consider the following steps:
- Visit the PCI Security Standards Council's list of Approved Scanning Vendors: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
- Research each ASV's background, experience, and reputation. Look for customer testimonials, case studies, and reviews to gauge the quality of their services.
- Determine whether the ASV offers additional services, such as penetration testing, which may be valuable for your organization's overall security posture.
- Contact several ASV vendors to discuss your organization's specific requirements, and request a quote for their scanning services.
To know more about basics of PCI Compliance see out blog post here.