ASV Scanning for PCI Compliance
The PCI DSS requirement 11.2 mandates the need for quarterly external “scanning” by an ASV (Approved Scanning Vendor) to ensure that external security vulnerabilities are managed and closed to reduce the possibility of a security compromise to the CDE (Cardholder Data Environment). 7Safe has chosen to partner with leading ASV “Fishnet Security” to bring ASV scanning for PCI DSS compliance. The service is provided through the FishNet’s “PCI ASV Scanning Services” which is built around the Qualys PCI solution but with a human component which brings a strong value added proposition to the service.
What is ASV Scanning?
ASV (Approved Scanning Vendor) scanning refers essentially to the regular need (quarterly, or more frequent) to undertake a PCI approved vulnerability assessment. This is essentially a battery of automated security or vulnerability tests from a PCI SSC approved ASV which ensures that consistency is achieved across the PCI global market place. …Read More
7Safe / Fishnet PCI ASV Partnership Benefits
- Provides 7Safe PCI DSS clients with access to world-leading ASV scanning solutions
- Allows 7Safe to assist clients in the interpretation of vulnerability scanning results
- Sets ASV scan results in context of the overall PCI compliance program of work being undertaken
- 7Safe can provide advice in remediation of ASV scan results
- Qualys are a dedicated ASV provider and have honed their offerings to be the best in the industry
- 7Safe can take ASV scan results for our clients and use them as input into the full PCI Penetration Testing program
ASV Scanning and the PCI DSS Requirements
The PCI DSS (version 1.2.1), specifically requirement 11.2 mandates the need for PCI ASV scanning. The detail is as follows;
Requirement 11.2
Requirement 11.2 test procedures
The QSA audit test procedures that our PCI QSA compliance team must follow are:
11.2.a Inspect output from the most recent four quarters of internal network, host, and application vulnerability scans to verify that periodic security testing of the devices within the cardholder data environment occurs. Verify that the scan process includes rescans until passing results are obtained. Note: External scans conducted after network changes, and internal scans, may be performed by the company’s qualified internal personnel or third parties.
11.2.b Verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures, by inspecting output from the four most recent quarters of external vulnerability scans to verify that:
- Four quarterly scans occurred in the most recent 12-month period;
- The results of each scan satisfy the PCI Security Scanning Procedures (for example, no urgent, critical, or high vulnerabilities);
- The scans were completed by an Approved Scanning Vendor (ASV) qualified by PCI SSC.
Note: It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan. For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred.
11.2.c Verify that internal and/or external scanning is performed after any significant change in the network, by inspecting scan results for the last year. Verify that the scan process includes rescans until passing results are obtained.
