An Approved Scanning Vendor (ASV) is a company approved by the Payment Card Industry Security Standards Council (PCI SSC) that offers a scan solution to validate a merchant or service provider’s (scan customer) compliance with PCI DSS Requirement 11.2.2.
An ASV’s scan solution is the set of security services and tools used to conduct scanning of a scan customer’s external environment. The requirements (11.2.2) mandate scan customers complete quarterly scans of their external network using an ASV.
The scans test for vulnerabilities from the outside, looking for weaknesses a bad actor can exploit to gain access to the company’s cardholder data environment (CDE).
If you’re looking for a new approved scanning vendor, looking to switch to a new one, or you want to negotiate a better contract with your current PCI consultants, this article will help you understand ASVs, what they offer, how they differ, and what if anything you can adjust in the scanning process.
- What’s the PCI ASV Requirement?
- What Exactly Must be Scanned?
- How Approved Scanning Vendors Work
- What’s The Difference Between Approved Scanning Vendors?
- How Much do PCI ASVs Charge?
- How To Choose a PCI ASV?
- How Do You Fail an ASV Scan?
- What’s an Incomplete ASV Scan?
- What’s a Remediation Scan?
What’s the PCI ASV Requirement?
A company that accepts, processes, or stores credit card information must assure the security of its internet-facing systems, and there are several requirements to be met in so doing, as far as Approved Scanning Vendors are concerned:
- Maintain compliance with PCI DSS 11.2.2 at all times;
- Use an ASV from the list of approved vendors from the PCI SSC website;
- Act diligently in its ASV selection process (ensure the ASV’s qualification, capability, and experience); in other words, do not just pick randomly from the PCI SSC listing, but ensure the ASV’s solution, the industry of expertise, etc. align with the needs of the scan customer);
- Monitor the company network systems (internet-facing, IPS, IDS, routers, etc.) during the scan; this ensures a trust level between the customer and the ASV (e.g., have a dedicated network security employee monitor the network during the ASV scan) but not to the point of interference;
- Define the scope of external vulnerability scanning (e.g., IP addresses, domains for all internet-facing systems), providing a complete, current, accurate inventory to the ASV;
- Configure active IPS/IDS so they do not interfere with the ASV’s scan;
- Coordinate with the Internet Service Provider or hosting provider to allow ASV scans (e.g., let the ISP know about the scan ahead of time so they do not inadvertently block expected network traffic);
- Provide a rationale for excluding any network components from the scope;
- Provide attestation to the ASV to enable the ASV’s research and resolution of any disputed findings (e.g., suspected false positives);
- Review ASV’s scan report and correct any identified vulnerabilities that cause a scan to be non-compliant;
- Provide any compensating controls for a component not included in the scope (e.g., router “A” configuration must remain due to reason X or Y, but the company ensures its security through a particular network monitoring exceptions tool);
- Engage the ASV to rescan any non-compliant systems where the vulnerability is “High” or “Medium” until successful rescan results ;
- Provide the completed ASV scan report to the scan customer’s acquirer(s) and Participating Payment Brand(s); and
- Provide feedback on ASV performance per the ASV Feedback Form (available on the PCI SSC website).
What Exactly Must be Scanned?
The scan customer is responsible for ensuring the components which make up the external network of the CDE are scoped in and provided to the Approved Scanning Vendor and include:
- Internet protocol (IP) addresses (for all the customer’s locations if multiple);
- Servers (Database, web, application, mail, DNS, proxy);
- Firewall and routers;
- Operating systems;
- Built-in user accounts;
- Common web scripts;
- Common services;
- Virtualization components; and
- Wireless access points.
The customer must include any external network component “touching” cardholder data.
Note: Smaller companies often have “flat networks,” meaning every component has access to every other component on the network. In this case, the ASV scans the entire network. To help ensure proper scoping, the customer should consult with a security professional, such as PCI DSS Qualified Security Assessors (QSAs).
How Approved Scanning Vendors Work
The customer engages with an ASV from the ASV listing approved by PCI Security Standards Council. The ASV scans the customer’s external network structure (e.g., IP addresses, domains) to identify any weaknesses that an attacker can exploit from the internet.
- The customer provides scan scope to the PCI ASV (i.e., a list of IP addresses, domains, routers, etc.); ensures coverage of all external-facing components that make up the CDE;
- The ASV runs scans that are if-then scenarios on the external system components listed in the scope to identify system settings in which a vulnerability exists that can be exploited;
- The ASV provides scan results to the customer;
- The customer reviews the scan results and, in the event of identified vulnerabilities, performs root cause analysis and remediates the vulnerability;
- The customer engages the ASV to rescan those components with vulnerabilities. This cycle continues until all rescans return a clean results report;
- The ASV provides the original scan results report, the rescan(s) reports, and supporting documentation to the customer;
- The customer provides reports and documentation to their acquiring bank;
- Reporting and remediation – when the vulnerability scan is complete, immediately provide initial results to the customer;
- Rescan any remediated components until results are successful; rescanning may be an interactive cycle; and
- Final reporting – once the customer remediates identified vulnerabilities, if any, the PCI ASV issues an Approved report securely delivered to the scan customer. They, in turn, are responsible for providing information to acquiring banks.
What’s The Difference Between Approved Scanning Vendors?
There are currently 91 ASVs listed on the PCI SSC site. Several are “In Remediation’ meaning they have violated part of the Approved Scanning Vendor Program and actively working to remediate.
The differences between ASVs are numerous. ASVs operate out of different countries, serving various industries, offering multiple services, and serving varied geographical areas. The following depicts the diversity of ASVs on the PCI SSC site:
How Much do PCI ASVs Charge?
ASV charges are as varied as the types of ASVs. A large customer can engage with an ASV to provide multiple services, including ASV scanning, at no additional cost.
Company A is a healthcare chain with offices across the USA. They can secure an ASV who provides best practice services to healthcare organizations; in addition to PCI, Company A can obtain HIPAA consultancy and compliance testing as well as HITRUST.
Company B is a website offering children’s toys, have one office in London, and ship to customers worldwide. They can engage with an ASV specializing in eCommerce and website security, who will provide IP scanning at a set cost per IP address per year.
The range for this is from $100 to $200 per IP address. The price may be per IP address, as are the pricing structures. Some ASVs charge an annual fee as low as $70 for PCI Scanning Services if the scan customer purchases other services in combination.
At the other end of the spectrum are ASNs who charge per IP address, quarterly or annually, and those prices range from $100 to $200 per IP address.
How To Choose a PCI ASV?
The PCI SSC has performed much of the heavy lifting in ASV selection for the customer, providing a list of vendors approved by PCI SSC, but it’s worth considering other criteria when reviewing ASVs.
Is the customer operating in one or multiple industries? A manufacturing company may also have a branch for energy services. The brick-and-mortar retail store may also have eCommerce lines of business.
How many are credit card transactions processed annually by the customer (what is the PCI compliance level necessary)? A customer with a high transaction volume may find an ASV whose focus is PCI DSS is the best fit.
The customer’s base location, be it local, country-wide, or global, can drive them to align with an ASV whose services are of similar geographic operations.
A customer should understand their cybersecurity maturity posture (e.g., the customer performs regular vulnerability scanning, has antivirus software, and mature change management processes) should be considered. Company size, maturity, and regulatory needs should drive alignment with the ASV selected to perform scanning services to meet PCI DSS 11.2.2. For example, a company with a fully staffed security team may not need one of the larger ASVs.
NOTE: See our list of specialist PCI compliance vendors here.
How Do You Fail an ASV Scan?
Failed ASV scans can happen for several reasons like misconfigured ports, outdated antivirus software, outdated security patches, and one-off anomalies. There are a few commonly seen reasons for a failed vulnerability scan, and the customer should proactively review these configurations and update them as needed before the ASV scan:
- TLS Version 1.0, 2.0, or 3.0 protocol(s) is (are) not disabled (can allow an outside actor access the CDE) – review before the PCI ASV scan and make sure all are disabled; and
- SSL Certificate with Wrong Hostname – to avoid this, make sure the port names match that on the SSL Certificate; the certificate is current and signed by a Certificate Authority (CA).
What’s an Incomplete ASV Scan?
An incomplete ASV scan may occur due to the company’s internal security systems (e.g., IDS, IPS) not being configurated to allow the ASV external scan. The customer’s internet provider may block the vulnerability scan as it detects suspicious activity.
The customer should request the ASV provide the necessary information to be communicated to the ISP before scans. By working closely and collaboratively with the ASV, the customer can, ahead of time, ensure proper configurations both onsite and with the ISP to prevent a vulnerability scan from completing.
What’s a Remediation Scan?
When an ASV scan fails, the results are directly communicated to the customer by the ASV. The scan customer must perform a root cause and impact analysis, identify a remediation plan, and implement the remediation following formal change management processes.
The customer should immediately segment the network section, device, WAP, etc., where the vulnerability exists. After remediating the exposure, the customer notifies the ASV to perform a rescan of the failed components.
The customer has 90 days to remediate identified vulnerabilities and perform a rescan of their external network by the ASV. As a best practice, the customer should maintain all documentation capturing root cause, impact, remediation, and retesting per the scan customer’s evidence retention policy.