An Approved Scanning Vendor (ASV) is an organization that utilizes security services and tools to conduct external vulnerability scanning in order to verify compliance with PCI DSS Requirement 11.2.2’s external scanning requirements.
Before a scanning vendor’s ASV scan solution is added to the PCI Security Standards Council’s (PCI-SCC) list of Approved Scanning Vendors, it is tested and approved by the PCI Security Standards Council (PCI-SCC). To be approved, a business must first become a legal entity and meet all regulatory requirements for conducting business. Following that, they must complete a registration process with the PCI SSC, which includes reviewing the ASVs program guide, registering for testing, and providing administrative and technical information via an attestation of compliance. The Council reviews the application and either accepts or denies it for testing.
ASVs are responsible for conducting an external vulnerability scan of an organization’s network or website from the outside. Along with determining whether a business is PCI compliant, these ASV scans can shed light on any data security challenges that may be necessary to address.
There are several factors to consider when selecting the appropriate ASV to perform scans for your business. Certain ASVs provide superior scanning services, which in some cases means that they are more adept at reducing the occurrence of false positives. It can be time consuming and costly to eliminate false positives from a scan. A reputable approved scanning vendor will maintain an ongoing system for tuning scan engines to produce accurate results without slowing down your system.
The appropriate ASV for merchants will meet their requirements. When conducting ASV research, it is critical to consider what each service provider can offer and whether those services are sufficient for your security requirements, such as whether they offer additional managed security services. It can be beneficial to look into their history and the success rate of their previous scans. Additionally, it can be beneficial to learn about their staff’s experience. Having experience conducting vulnerability scans is critical for receiving the most accurate recommendations regarding your unique and individual network environments.
Because new vulnerabilities are discovered on a regular basis, it is up to each company to decide whether to conduct scans at intervals other than the recommended quarterly intervals. While some ASVs charge for each scan and rescan, others offer free rescans. It is possible to locate an ASV that offers additional services in addition to exterior vulnerability scanning. Certain companies will provide more comprehensive services that go above and beyond to ensure accurate compliance and comprehensive security.
Finally, it is critical to determine whether an ASV is currently undergoing remediation. If they are in remediation, this indicates that the company does not currently meet all of the ASV Qualification Requirements. The PCI SSC will identify a company that is undergoing remediation by highlighting their company name and email address in red text. They will be included in the listing alongside all other ASV companies, but only for a limited period of time. They will be removed from the list if they remain in remediation for an extended period of time. PCI SSC recommends contacting a company currently undergoing remediation for additional information on their status. When hiring a new ASV, it is beneficial to inquire about the company’s experience with remediation, as this can aid in your decision.
PCI scanning is typically required on a quarterly basis. You should scan a few weeks prior to your quarterly ASV scan due date to allow time for remediation and rescanning. Clone Systems simplifies this process by including an unlimited number of scans with each purchase. No matter how long you sign up for, you will not only be able to run unlimited scans at no additional charge, but you will also be able to schedule scans as frequently as you like to help remind you when due dates are approaching and to ensure you never miss a bank deadline.
