How to Choose a PCI Approved Scanning Vendor

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), merchants and service providers are required to have external vulnerability scans performed on their systems every quarter. These scans must be performed by an Approved Scanning Vendor (ASV). But what is an Approved Scanning Vendor, and how do you go about choosing one? In this article, we answer these questions to help you get the most out of your PCI DSS scans.

First, let’s take a step back and look at the PCI DSS requirements for vulnerability scanning. PCI DSS Requirement 11.2 requires that merchants and service providers perform both internal and external vulnerability scans on a quarterly basis. Scans must also be performed when there are changes made to the network.

When it comes to internal scans, you have the choice of either using a qualified internal staff member or hiring an external third party. The choice is yours, but if you choose to use a staff member, that person cannot also be responsible for securing the systems that are being tested. You can also use an internal staff member to perform the scans that are required after changes are made to the network.

Merchants and service providers have less flexibility when it comes to the quarterly external vulnerability scans. These must be performed by an Approved Scanning Vendor (ASV). An ASV is a third-party solution provider that is approved by the Payment Card Industry Security Standards Council (PCI SCC) to perform vulnerability scans of Internet-facing environments for the purposes of validating compliance to DSS requirements.

To become an ASV, security solution providers must undergo a three-part qualification process. The company itself must be qualified, as well as the employees who will be responsible for performing scans, and the company’s scanning solution must be security tested. ASVs must be re-approved by the PCI Security Standards Council every year. The PCI SCC is careful to note that it does not endorse any particular ASV. It is up to you to choose which ASV you wish to work with. Here are some factors to consider as you choose an ASV.

·      Qualification as an ASV. Every time you engage with a provider, check the PCI SCC website to make sure that the company is still a qualified ASV. If the company has failed to become re-approved as an ASV, the scanning services you pay for will not meet PCI DSS’s requirement.

·      Cost. The fees associated with an ASV’s scanning services are negotiated between the ASV and the customer. While it makes sense to compare the prices of a couple different ASVs, don’t forget to consider the value-added services that are included in those prices. For example, does the provider offer dedicated, 24/7 customer support? Are rescans included at no additional cost? Can you rely on the ASV for additional PCI-related services?

·      Experience and accolades. Large companies routinely rely on vulnerability scanning and application security testing outside of any regulatory requirements to ensure that their systems are protected against hackers. Look for an ASV that has a long-standing history delivering these services and is well recognized by analyst firms and other third parties for their work in the area.

·      A well-tuned scan engine. The cost of a vulnerability scan can quickly escalate if your team has to spend valuable time resolving false positives. Ask your prospective ASV about false positive rates and the processes they have in place to keep scan engines adequately tuned to minimize false positives.

·      Customer-scheduled scans. While the ASV must control and manage the scan solution, the PCI SCC allows customers to remotely start scans (for example, via a web portal), schedule scans and identify the IP addresses to be scanned. These self-service capabilities help you to reduce the impact on business operations. Scheduling quarterly scans also makes it easier to ensure that you remain compliant.

·      A robust scan engine. Quarterly vulnerability scans is about much more than ticking a check box on a regulatory requirement. The scan should provide assurance that you are running a secure environment and that vulnerabilities are being remediated. Choose an ASV with robust scan engines that are continually updated to detect the latest vulnerabilities.

Ideally, the ASV you choose will be a partner that you can turn to quarter after quarter for your PCI scans, as well as for general security concerns. After all, the spirit of PCI DSS is not to create another to-do list for you, but to improve your overall security posture. By doing so, you protect both your business and your customers.