Are free PCI ASV scans possible?

Request a quote
06 Nov, 2020

Are free PCI ASV scans possible?

Requirement 11.2 of PCI DSS states that a covered entity should conduct quarterly external scans and rescans via an Approved Scanning Vendor (ASV). An ASV is a PCI SSC-qualified company to conduct external vulnerability scanning services in line with PCI DSS Requirements 11.2.2. For a vendor to be designated as an ASV, PCI SCC’s ASV validation lab tests the vendor’s solution on a set of pre-defined parameters. You can read more about who needs PCI ASV scans and why here. 

What is the scope of a PCI ASV scan? 

PCI DSS requires quarterly scans of all externally accessible systems or components owned or used by a covered entity. These systems and components should be a part of its cardholder data environment (CDE). Further, any external system or component that provides access to the CDE is also covered in the scope. 

Apart from external-facing IP addresses, an ASV scan must cover all unique entryways into system components such as fully qualified domain names (FQDN), and it will include: 

  1. Domains for web servers 
  2. Domains for mail servers 
  3. Domains used in name-based virtual hosting 
  4. Web server URLs to directories that cannot be reached by crawling from a website’s homepage 
  5. Any other public-facing hosts, virtual hosts, domains, or domain aliases 

Before an ASV finalizes a scan report, a covered entity must attest and verify the scan scope. If you are a covered entity, it is your responsibility to define the scope of external vulnerability scans and provide the relevant details to an ASV. According to the latest version of PCI SSC’s ASV Program Guide, a covered entity is responsible for an incident of data compromise that happened through an external facing IP address not included in the scope of external vulnerability scans. 

General characteristics of an ASV scan and system components 

PCI SSC expects that an ASV’s scanning solution shall have the following characteristics: 

  1. Be non-disruptive 
  2. Perform host and service discovery 
  3. Perform OS and service fingerprinting 
  4. Be accurate 
  5. Account for load balancers 
  6. Have platform independence 

Further, PCI SSC also provides a non-exhaustive list of services, operating systems, and devices that must be tested. The scan components of an ASV’s scanning solution must cover: 

  1. Firewalls and routers 
  2. Operating systems 
  3. Database servers 
  4. Web servers 
  5. Application servers 
  6. Common web scripts 
  7. Built-in accounts 
  8. DNS servers 
  9. Mail servers 
  10. Virtualization components 
  11. Web applications 
  12. Other application such as streaming media, proxy servers, media content, RSS feeds, etc. 
  13. Common services 
  14. Wireless access points 
  15. Backdoors/malware 
  16. SSL/TLS 
  17. Anonymous key-agreement protocols (non-authenticated) 
  18. Remote access 
  19. Point-of-sale (POS) software 
  20. Embedded links or code from out-of-scope domains 
  21. Insecure services/industry-deprecated protocols 
  22. Unknown services 

After a scanning exercise is completed, the scan report should consist of three sections: Attestation of Scan Compliance, ASV Scan Report Summary, and ASV Scan Vulnerability Details. 

Should ASV scans be free? 

We have only discussed a few of the requirements that a scanning vendor needs to meet to be designated as an ASV. PCI SSC also prescribes a certain fee to be paid beforehand for a vendor to be recognized as an ASV. More details about fees and payments are available here. After being qualified as an ASV, vendors provide their services to covered entities. In such a situation, it will be highly unlikely that you will get free ASV scans. While browsing through search engine results, you can come across many sites that specify free ASV scans. On further analysis, we found that most of them are free trials with limited functionality that do not fulfil compliance requirements. 

So, the bottom line is, free ASV scans that are capable of scanning your entire CDE do not exist. We highly recommend you to ensure that a contractual relationship is in place before you start performing scans using any ASV’s scanning platform.  

 

Recommended Readings

  1. Who needs PCI ASV scans and why? 
  2. PCI DSS Compliance for SaaS Companies: An Overview 
  3. 10 Step Guide for Making your AWS Application PCI DSS Compliant 
  4. Penetration Testing and Vulnerability Scanning Requirements for PCI DSS 
  5. PCI DSS Security Testing Cheatsheet