Who needs PCI ASV scans and why?

[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about the new PCI DSS 4.0 requirements, including the key dates for PCI DSS compliance, in our latest blog post now: PCI DSS 4.0 and Penetration Testing – What You Need to Know

Payment Card Industry Data Security Standards (PCI DSS) are operational and technical requirements prescribed by the PCI Security Standard Council (PCI SSC). This standard applies to all entities that store, process, or transmit cardholder data. PCI SCC looks after maintaining the PCI DSS standard and its enforcement. Over the years, PCI DSS has achieved the status of a global standard. Depending on the involvement of an entity in the payment process, the exact requirements may vary. PCI SSC released the latest version in May 2018 as version 3.2.1. 

PCI DSS is one of a few standards that explicitly mention vulnerability scanning and penetration testing. In this standard, Requirement 11.2 focuses on vulnerability scans while Requirement 11.3 deals with penetration testing. We have discussed the penetration testing requirements for PCI DSS in detail here. According to the PCI Information Supplement document on Penetration Testing Guidance, the scope of a vulnerability scan is limited to scanning the infrastructure for vulnerabilities. In vulnerability scans, the security team may not verify the findings. On the other hand, a penetration test goes a step further by attempting to exploit the discovered vulnerabilities using automated as well as manual techniques. 

PCI DSS vulnerability scanning requirements (Requirement 11.2)

Requirement 11.2 states that a covered entity should perform internal and external scans at least quarterly and after any significant change occurs in the network. The significant change covers new system component installation, network topology changes, firewall rule updates, and product upgrades. Other requirements include: 

• Conducting quarterly internal scans followed by rescans to verify that all high-risk vulnerabilities have been resolved (Requirement 11.2.1) 
• Conducting quarterly external scans and rescans via an Approved Scanning Vendor (ASV) (Requirement 11.2.2) 
• Conducting internal and external scans and rescans after any significant change in the network (Requirement 11.2.3) 

Here, a qualified internal personnel/third-party vendor can perform the required scans under Requirements 11.2.1 and 11.2.3. This third-party vendor need not be an ASV. However, for Requirement 11.2.2, an approved scanning vendor (ASV) by PCI SSC must perform the required scans.

Who is an Approved Security Vendor (ASV)?

The ASV Program Guide (v3.0) defines an ASV as a “company qualified by PCI SSC for ASV Program to conduct external vulnerability scanning services in line with PCI DSS Requirement 11.2.2.” The PCI ASV Scan validation lab established by PCI SSC tests an ASV’s scanning solution before designating a vendor as a PCI SCC approved scanning vendor. The same document lists down the responsibilities for approved scanning vendors. 

How does BreachLock help?

With our compliance and security experts onboard, BreachLock is able to analyze your PCI DSS requirements and advise you accordingly on your compliance obligations concerning security testing. PCI DSS explicitly states that manual penetration testing should be a part of your organization’s security practices. Our SaaS platform is supported by certified security researchers with years of experience in performing comprehensive penetration tests. 

We aim to collaborate with your team to ensure that you have one vendor to meet all of your security testing needs. Our SaaS platform covers an organization’s entire IT landscape, whether it is a web application, external/internal networks, segmentation tests, or mobile applications. Further, we have partnered with Approved Security Vendors (ASVs) to integrate an ability to launch and control quarterly ASC scans from our SaaS platform itself. As a result, our clients can manage manual penetration tests and ASV scans from a single dashboard.

Are you struggling in understanding PCI DSS security testing needs for your organization? Get in touch with our experts today!