TABLE OF CONTENTS
- What Is an Approved Scanning Vendor (ASV)?
- What Is a PCI ASV Scan?
- How Does the PCI Scan Process Work?
- ASV Scanning & PCI Compliance
- Approved Scan Vendor Qualifications and Responsibilities
- How Often Should I Need ASV scanning?
- What to Look for in an ASV
- How to Choose the Right ASV
- Final Thoughts on Approved Scanning Vendors
Finding an Approved Scanning Vendor (ASV) is essential for businesses accepting credit card payments. While businesses must accept card payments in order to remain competitive in 2022, those that do so must also comply with the Payment Card Industry’s standards. Failure to achieve and/or maintain PCI compliance may be met with serious ramifications. That said, Approved Scanning Vendors help businesses stay PCI compliant with ease. Below, we detail exactly what an ASV is, as well as how to find the best ASV for your business.
What Is an Approved Scanning Vendor (ASV)?
An Approved Scanning Vendor (ASV) is a company or organization offering data security services to help you determine whether a business is compliant with the external scanning requirements of the Payment Card Industry Data Security Standard (PCI DSS). An ASV regularly checks for vulnerabilities within credit card networks.
What Is a PCI ASV Scan?
The goal of a PCI ASV scan is to identify any weaknesses within credit card networks and payment systems. Malicious actors may exploit such weaknesses, jeopardizing your business’s and customers’ sensitive financial data. To mitigate this risk, PCI DSS requires businesses to scan card networks regularly to ensure compliance. Typically, the results of the scan are submitted to a third-party Approved Scanning Vendor for review.
How Does the PCI Scan Process Work?
Conducted entirely over the internet, PCI ASV scans should not interfere with normal business operations. The PCI ASV scan generally follows these steps:
- The scanning server looks for any open ports by reaching out to your target IP. Generally, there are over 65,000 TCP ports on your devices. The scan tests every port for vulnerabilities.
- The scan interprets, analyzes, and compares the results with a database of known flaws and vulnerabilities. This phase is called “fingerprinting.”
- Any detected flaws or vulnerabilities can be categorized in accordance with the Common Vulnerability Scoring System (CVSS).
- Then, the scan searches for other weak points in the system, such as built-in or default accounts and passwords.
- The scan thoroughly checks web applications for unvalidated parameters and cross-site scripting (XSS) flaws that could lead to SQL injection attacks.
- After the scanning is complete, you receive the report.
A “passing” PCI ASV report indicates that the scan did not identify any vulnerabilities. However, if you receive a report indicating system weaknesses, you have two choices. You may either perform the necessary repairs or dispute the results. In the event of the latter, you may opt to rescan to achieve a successful scan.
Internal PCI scans
An internal PCI scan searches inside your firewall or local network for internal vulnerabilities. Performing the scan boosts both the security of your business’s network and protects your customers’ data. You can likely perform this scan yourself.
External PCI scans
In contrast to an internal PCI scan, an external PCI scan examines all PCI mechanics outside your local network. Only an Approved Scanning Vendor should perform this scan.
Application PCI scans
Application PCI scans look for holes in internal-based applications that leave your business open to attacks, some of which may trigger a security breach. These vulnerabilities include cross-site scripting, remote file inclusion, and structured query language (SQL) injections.
ASV Scanning & PCI Compliance
The Payment Card Industry Data Security Standard is an essential element in regulating credit card security for large credit card networks, such as Mastercard, Visa, American Express, and Discover. These standards establish the requirements—maintaining a secure network, monitoring networks, and testing for vulnerabilities—that merchants must follow to keep their customers’ data secure.
These standards are especially vital in light of the increase in consumer data theft over the years. In fact, in a 2022 report by the Identity Theft Resource Center, there were 1,862 data compromises in 2021, breaking the 2017 all-time record of 1,506 breaches.
Approved Scan Vendor Qualifications and Responsibilities
To become an Approved Scan Vendor, individuals must complete an eight-hour course and pass an exam. Providing an overview of PCI DSS requirements and an explanation of scanning procedures, individuals may complete this course online.
Through this course, Approved Scanning Vendors acquire the knowledge necessary to ensure the quality of scans and the accuracy of reports. The program covers the following information:
- Program Overview: This outlines the 12 requirements of PCI DSS and PCI DSS lifecycle.
- Payment Industry Terminology: This is an overview of payment industry terminology, transaction flows, and service provider relationships.
- Compliance Requirements and Validation: This part of the course outlines reporting and validation requirements for merchants and service providers by payment brands.
- ASV Overview and Quality Assurance – Roles and Responsibilities: This part of the course covers the roles and responsibilities of external vulnerability scans, scoping, ASV scan solutions, and quality assurance.
- General Requirements for Scanning: This covers the general requirements for scanning, including scan solutions, procedures for scan customers, the scope for ASV scans, and ASV contracting.
- Scan Reporting: This part explains how to read, interpret, and report scans, including a review of the Common Vulnerability Scoring System.
- Scanning Vendor Testing and Approval Process: Finally, this covers the approval process and testing details by ASV companies.
How Often Should I Need ASV scanning?
The PCI DSS requires merchants to perform an ASV scan once every 90 days. If you’ve made changes to your payments system, it’s recommended you check it sooner.
What to Look for in an ASV
As a merchant searching for an Approved Scanning Vendor, you should take into consideration the following elements:
- Customer response and support: Look for 24/7 dedicated support, especially if you operate an eCommerce site.
- Experience: A knowledgeable staff can offer repair and mitigation recommendations. Additionally, experience in vulnerability scans is crucial.
- A system that can fine-tune scans: False positives can allow vulnerabilities to pass the scan. A solid ASV has a fine-tuned system that can scan engines reporting accurate results without bogging down the system with false positives.
- Unlimited scans: Because vulnerabilities can appear daily, it’s in your best interest to find an ASV willing to regularly scan your system without added expense.
- Latest technology: To achieve an accurate and comprehensive scan, find an ASV utilizing modern scanning technology.
How to Choose the Right ASV
Choosing the right Approved Scanning Vendor for your business is a vital step in protecting customers’ sensitive data. At a minimum, you should ensure your chosen ASV meets the current ASV Qualification requirements.
A quality ASV has a system in place for tuning scan engines without bogging down your system, especially during business hours. It’s also essential to examine if the services the ASV offers are adequate for your business’s security needs. Be sure to inquire whether they provide managed security services or just external PCI scans.
Additionally, take into consideration how long the ASV business has been operating. Read customer reviews to determine how successful they have been in the past.
Final Thoughts on Approved Scanning Vendors
If your business engages in credit card processing, it’s important to have an Approved Scanning Vendor (ASV) on your side. Search for an ASV that will regularly test your payment systems and check for vulnerabilities in credit card networks—not only to achieve PCI compliance but to ensure the security of your customers’ financial data. An experienced, reliable, and reputable ASV can ensure your network is secure and your customers’ data is protected.