Do you need help with Quarterly Vulnerability Scans (ASV) to follow PCI DSS?
Once a company has obtained a PCI DSS certification, work begins to remain certified. By working closely with an approved ASV (Approved Scanning Vendor), Complior can help companies with quarterly vulnerability scans to meet the requirements of PCI DSS.
QUARTERLY ASV SCANNING A PCI DSS REQUIREMENT
PCI ASV scans are a requirement for companies who need to be compliant with requirement 11 of PCI DSS. The requirement obliges entities to, among other things, scan the external perimeter of the Cardholder Data Environment (CDE) on a quarterly basis and also perform both internal and external scans after any significant change.
Complior can offer ASV scans provided by an Approved Scanning Vendor, approved by the PCI SCC (Payment Card Industry Security Standards Council). The experienced PCI QSA Security Specialists can scan your IT environment on a regular to help you reach and maintain your PCI DSS certification.
WE OFFER TWO DIFFERENT APPROACHES TO ASV SCAN AS A SERVICE:
SCAN IT YOURSELF (SIY)
The client is provided with an account on the ASV platform where they manage their scans on a quarterly basis and where they assess any eventual vulnerabilities that arise on their own.
WE SCAN IT FOR YOU (WSIFY)
The client gives Complior their IPs and our experienced security consultants conduct the scan on a quarterly basis and deliver a report for the client’s records. With Complior managing the process, you as the client doesn’t need to hire security experts or vulnerability assessors, since we do it all for you.
THE RESPONSIBILITIES OF A PCI APPROVED SCANNING VENDOR
- Performing external vulnerability scans in accordance with PCI DSS requirement 11.2.
- Maintaining security and integrity of systems and tools that are used to perform scans
- Making reasonable effort to ensure scans:
- Do not impact the normal operation of the customer environment
- Do not penetrate or intentionally alter the custom environment
- Scanning all IP ranges and domains provided by customer to identify active IP addresses and services
- Consulting with the customer to determine if IP addresses found, but not provided by the customer, should be included
- Providing a determination as to whether the customer’s components have met the scanning requirement
- Providing adequate documentation within the scan report to demonstrate the compliance or non-compliance of the customer’s components with the scanning requirements
- Submitting the ASV Scan Report Attestation of Scan Compliance in accordance with the acquirer of payment brand instructions
- Retaining scan reports and related work products for two years
- Providing the customer with a means for disputing findings in the scan report
- Maintaining an internal quality assurance process for ASV