PCI-ASV

The scope of an ASV scan includes all publicly accessible IP addresses and domains that are part of, or could affect the security of, your Cardholder Data Environment (CDE). This means the scan targets any system component exposed to the internet, such as web servers, firewalls, routers, and payment application URLs.

The ASV works with you to define the full scope, but it's your responsibility to provide all relevant public-facing assets, including any systems that handle, store, or transmit cardholder data. A comprehensive scan scope is essential to ensure that no potential entry points for attackers are missed, helping you maintain full PCI DSS compliance.

Conducting an ASV scan is a structured process. It begins with scope definition, where you provide the ASV with a complete list of your internet-facing IP addresses and domain names. Next, the ASV performs the automated scan to identify vulnerabilities.

After the scan, a detailed report is generated, outlining any security weaknesses found. The report will classify vulnerabilities based on severity, with "failed" items requiring immediate attention. Your final step is to remediating these vulnerabilities and then requesting a re-scan. The scan is not considered complete until all "failed" items are resolved and the ASV provides a "passing" report.

To comply with PCI DSS using an ASV scan, you must follow a few key steps.

1 - Conduct a passing scan at least quarterly (every 90 days).

2 - A new scan must be performed after any significant changes to your network, such as installing a new server or changing a firewall.

3 - If a scan fails, you must remediate all identified vulnerabilities with a CVSS score of 4.0 or higher and then conduct a re-scan to verify the fixes.

4 - The final, passing report from your ASV is the official evidence of compliance, which you can then submit to your acquiring bank or a Qualified Security Assessor (QSA).

• Select an ASV: The first step is to choose a vendor from the official list of Approved Scanning Vendors certified by the PCI Security Standards Council (PCI SSC).

• Define the Scope: The organization and the ASV collaborate to define the scope of the scan. The organization provides the ASV with a complete list of all public-facing IP addresses and domains that are part of, or connected to, the Cardholder Data Environment (CDE).

• Perform the Scan: The ASV uses its PCI SSC-approved scanning tools to perform an automated, non-intrusive vulnerability scan on the defined scope. This process simulates an external attack to identify security weaknesses.

• Receive the Scan Report: After the scan is complete, the ASV generates a detailed report. This report lists all identified vulnerabilities and categorizes them as "Pass" or "Fail" based on the PCI SSC's scoring methodology. Any vulnerability with a CVSS base score of 4.0 or higher will result in a "Fail" status.

• Remediate Vulnerabilities: If the scan fails, the organization must promptly address all identified vulnerabilities. This includes applying patches, fixing misconfigurations, or upgrading software.

• Conduct a Re-scan: After remediation is complete, the ASV conducts a re-scan of the affected systems to verify that the vulnerabilities have been resolved. This step is repeated as many times as necessary until all "Fail" items are corrected.
• Receive the Attestation of Scan Compliance (AOSC): Once all vulnerabilities are successfully remediated and the final scan results in a "Pass," the ASV issues an official Attestation of Scan Compliance (AOSC). This document serves as formal proof that the organization has met the PCI DSS external scanning requirement.

While both an ASV scan and a general vulnerability assessment (VA) identify security weaknesses, their purpose and requirements differ significantly.

A standard VA is a broad security practice that can be performed by an internal team or any third-party vendor. It's excellent for proactive security but does not meet a specific compliance requirement.

An ASV scan, however, is a very specific type of external VA performed by a certified Approved Scanning Vendor. The key distinction is that an ASV scan uses a PCI SSC-approved methodology and generates a certified report that is mandatory for PCI DSS compliance validation.

‍