[Editor’s Note] PCI DSS is changing in 2024. Find out everything you need to know about the new PCI DSS 4.0 requirements, including the key dates for PCI DSS compliance, in our latest blog post now: PCI DSS 4.0 and Penetration Testing – What You Need to Know
Requirement 11.2 of PCI DSS states that a covered entity should conduct quarterly external scans and rescans via an Approved Scanning Vendor (ASV). An ASV is a PCI SSC-qualified company to conduct external vulnerability scanning services in line with PCI DSS Requirements 11.2.2. For a vendor to be designated as an ASV, PCI SCC’s ASV validation lab tests the vendor’s solution on a set of pre-defined parameters. You can read more about who needs PCI ASV scans and why here.
What is the scope of a PCI ASV scan?
PCI DSS requires quarterly scans of all externally accessible systems or components owned or used by a covered entity. These systems and components should be a part of its cardholder data environment (CDE). Further, any external system or component that provides access to the CDE is also covered in the scope.
Apart from external-facing IP addresses, an ASV scan must cover all unique entryways into system components such as fully qualified domain names (FQDN), and it will include:
- Domains for web servers
- Domains for mail servers
- Domains used in name-based virtual hosting
- Web server URLs to directories that cannot be reached by crawling from a website’s homepage
- Any other public-facing hosts, virtual hosts, domains, or domain aliases
Before an ASV finalizes a scan report, a covered entity must attest and verify the scan scope. If you are a covered entity, it is your responsibility to define the scope of external vulnerability scans and provide the relevant details to an ASV. According to the latest version of PCI SSCu’s ASV Program Guide, a covered entity is responsible for an incident of data compromise that happened through an external facing IP address not included in the scope of external vulnerability scans.
General characteristics of an ASV scan and system components
PCI SSC expects that an ASV’s scanning solution shall have the following characteristics:
- Be non-disruptive
- Perform host and service discovery
- Perform OS and service fingerprinting
- Be accurate
- Account for load balancers
- Have platform independence
Further, PCI SSC also provides a non-exhaustive list of services, operating systems, and devices that must be tested. The scan components of an ASV’s scanning solution must cover:
- Firewalls and routers
- Operating systems
- Database servers
- Web servers
- Application servers
- Common web scripts
- Built-in accounts
- DNS servers
- Mail servers
- Virtualization components
- Web applications
- Other applications such as streaming media, proxy servers, media content, RSS feeds, etc.
- Common services
- Wireless access points
- Anonymous key-agreement protocols (non-authenticated)
- Remote access
- Point-of-sale (POS) software
- Embedded links or code from out-of-scope domains
- Insecure services/industry-deprecated protocols
- Unknown services
After a scanning exercise is completed, the scan report should consist of three sections: Attestation of Scan Compliance, ASV Scan Report Summary, and ASV Scan Vulnerability Details.
Should ASV scans be free?
We have only discussed a few of the requirements that a scanning vendor needs to meet to be designated as an ASV. PCI SSC also prescribes a certain fee to be paid beforehand for a vendor to be recognized as an ASV. More details about fees and payments are available here. After being qualified as an ASV, vendors provide their services to covered entities. In such a situation, it will be highly unlikely that you will get free ASV scans. While browsing through search engine results, you can come across many sites that specify free ASV scans. On further analysis, we found that most of them are free trials with limited functionality that do not fulfill compliance requirements.
So, the bottom line is, free ASV scans that are capable of scanning your entire CDE do not exist. We highly recommend you ensure that a contractual relationship is in place before you start performing scans using any ASV’s scanning platform.