PCI DSS compliance is a requirement for any organization that accepts payment cards. There are numerous PCI DSS requirements, all aimed at ensuring your customers’ payment care information is kept safe and secure. One of those requirements, 11.2.2, requires external vulnerability scanning.
- 11.2.2 Perform quarterly external
vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the
Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as
needed, until passing scans are achieved.
- 11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12- month period.
- 11.2.2.b Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures).
- 11.2.2.c Review the scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor (ASV).
And here’s the thing, not just any old scanner will do. You need to go through an Approved Scanning Vendor or ASV. Each ASV has its scanning solution tested and approved by the PCI SSC before it can be added to the PCI’s list. Currently there are 97 approved ASVs.
Frankly, for all but the most technically sophisticated organizations the requirement to use a third-party scanning service is a major benefit. It would be exceedingly difficult to spin up your own scanner and maintain it at the level required by the PCI. Not to mention cost-prohibitive.
PCI DSS requires internal and external scanning to be performed at least once quarterly and following any major network change.
What Does an ASV Vulnerability Scan Include?
The internal scans can be handled by your own organization but the external scans needs to be performed by an ASV.
Each scan needs to check for “high-risk vulnerabilities” as specified in 6.1, specifically the external scan needs to check for all known malware samples and any additional zero-days or exploits that may be present:
- Designate each vulnerability as low, medium or high-risk
- Follow mitigation strategies to deal with each threat
- Re-scan until all high-risk vulnerabilities have been taken care of
Following the scan, your ASV will issue a ready-made report for you to submit to your acquiring bank.
How To Get Started With An ASV Vulnerability Scan
Most ASV scanning solutions are budget-friendly. Specifically Comodo CA/Sectigo’s which can be acquired for about $80 per year. Setting up Comodo HackerGuardian PCI Scanning takes just a few clicks and can easily satisfy all your scanning and reporting needs.
Remember, scans must be completed quarterly with full documentation turned in to be considered compliant.