You are here:

PCI ASV scans

Approved Scanning Vendor (ASV) network scans are performed by a PCI DSS certified company to detect possible vulnerabilities in the systems. In case one or more systems storing, processing, or transmitting credit card data are connected to the Internet (or remote access is possible), documented quarterly network scans must be performed.


SC2labs provides PCI ASV scanning services using a qualified PCI ASV organization certified by the PCI Security Standards Council.

According to PCI DSS requirements:

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

  • 11.2.1: Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking. Scans must be performed by qualified personnel.
  • 11.2.2: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the PCI SSC. Perform rescans as needed, until passing scans are achieved.
  • 11.2.3: Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).


SC2labs offers managed external ASV and internal scanning services to meet compliance with PCI DSS requirement 11.2. which has three sub-requirements.

Audits consist of checking external facing, publicly available IT resources (IP addresses IPv4 and/or IPv6, networks, domains, etc.) using over 150.000 non-invasive tests designed for various technologies, platforms, and applications.

The network vulnerability scan aims to detect deficiencies in the architecture and configuration of the analyzed system, which then could be used to penetrate the system component firewalls and servers to the internal network.




The main phases of the scanning process consist of:


  • An initial teleconference, during which we will determine the range of IP addresses/domains subject to ASV scans, provide a pre-scan checklist and details about the test, and schedule a convenient date for the first PCI ASV scan.

  • Scanning process. The PCI ASV execution time depends on the type of system being tested, its complexity, and the number of services in the scope of the scan. After the test is completed, the reports are sent to the customer and include:

    • PCI ASV Attestation of Scan Compliance,

    • PCI ASV Vulnerability Details Report,

    • PCI ASV Executive Summary Report.

  • Overview of reports and identified potential vulnerabilities. All vulnerabilities are grouped by risk (Common Vulnerability Scoring System - CVSS standard) and labeled in the most popular standards (OVAL, CVE) with links to descriptions of detected vulnerabilities and vendor bulletins. If the result of the PCI ASV scan is with a "fail" score, a re-scan must be performed in the same quarter until a "pass" status is achieved. It is acceptable to provide comments with evidence for the PCI ASV engineer to evaluate to obtain a vulnerability designation as False Positive or Acceptable Use/Risk.

  • Receive attestation from PCI ASV scan with PASS status. Once this process is completed, the scan will be performed automatically every 90 days. Modification of the scope and date of the scan is allowed upon request.


You may also be interested in:


PCI DSS AUDIT


SAQ SUPPORT


ADVISORY