PCI DSS ASV scanning explained for dummies

[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about what’s coming in 2024 in our latest blog on PCI DSS 4.0.

Organizations across the globe are increasingly adopting PCI DSS to demonstrate that they securely store payment card data. Payment Card Industry Data Security Standards (PCI DSS) is a set of technical and operational requirements laid down by the PCI SSC (PCI Security Standard Council). Over the years, PCI DSS has become a reasonably expected compliance standard if an organization deals with payment card data. The latest version (version 3.2.1) of this standard was published in May 2018.

Under Requirement 11.2, PCI DSS requires organizations to conduct PCI DSS vulnerability scans. As per implementation guidance available for scope of vulnerability scanning exercises should cover an organization’s entire infrastructure. PCI SSC considers that attempts made to exploit the findings are a part of penetration testing exercises, which are covered in Requirement 11.3.

What does Requirement 11.2 say?

This prescribes the PCI scanning requirements for organizations dealing with payment card data. It recommends that internal as well as external scans must be performed quarterly or after “any significant change” in the network. Here, significant change relates to installing new system components, changing network topology, updating products, modifying firewall rules, etc.

Who is an ASV (Approved Security Vendor)?

While any internal personnel or third-party vendor can perform scans for Requirements 11.2.1 and 11.2.3, but PCI DSS requires that external scans for Requirement 11.2.2 must be conducted by an Approved Security Vendor (ASV).

PCI SSC has implemented a full-fledged program for security vendors to be designated as ASVs. It defines an Approved Security Vendor as the “company qualified by PCI SSC for ASV Program to conduct external vulnerability scanning services in line with PCI DSS Requirement 11.2.2.” As a part of the ASV program, PCI SSC has set up a validation lab to test scanning solutions. This scanning solution decides whether a vendor can be designated as a PCI SSC approved scanning vendor or not.

What is the scope of a PCI DSS ASV scan?

Requirement 11.2.2 requires organizations to conduct external scans for publicly accessible systems, including systems or components that provide access to their cardholder data environment (CDE). An approved security vendor would scan all possible entry points such as:

• Fully qualified domain names (FQDN);
• Domains for web and mail servers;
• Domains used for name-based virtual hosting;
• Web server URLs for directories that one cannot reach via crawling the homepage of a website; and
• Any other public-facing domain, domain aliases, hosts, and virtual hosts.

PCI SSC specifies that it is the organization’s responsibility to ensure that the scope for vulnerability scans is correct and covers relevant systems and components. If a data breach occurs through a system component not covered in the scope of external vulnerability scans, the organization will remain solely responsible.

Further, PCI SSC has also provided a list of services, devices, and operating systems to be covered in the scope for vulnerability scanning activities. This list is non-exhaustive, and it covers:

• Servers (Database, web, application, mail, DNS, proxy)
• Firewall and routers
• Operating systems
• Built-in user accounts
• Common web scripts
• Common services
• SSL/TLS
• Remote access
• Embedded links or out of scope domains
• Virtualization components
• Wireless access points (WAPs)
• Backdoors and malware
• Anonymous key-agreement protocols (non-authenticated)
• Insecure services and industry deprecated protocols

Ending notes

An ideal approved scanning vendor should help you with external scans by providing a platform-independent solution and accurate results. The scans should be non-disruptive and at least perform host and service discovery, OS, and service version fingerprinting and must account for load balancers. At BreachLock, our experts collaborate and partner with your security team to fulfill all of your PCI DSS security testing needs, right from ASV scans to penetration testing. Our SaaS platform allows you to conduct quarterly ASV scans with our ASV partners in a matter of few clicks. Get in touch with our experts today!