PCI DSS ASV (Approved Security Vendor) Scanning

Why run a PCI ASV scan?

Requirement 11.3 of the PCI DSS (Payment Card Industry Data Security Standard) mandates internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications and product upgrades).

External quarterly scans must be performed by a PCI SSC ASV (Payment Card Industry Security Standards Council Approved Security Vendor).

Who must undertake PCI ASV scans?

All acquiring banks require proof that merchants and service providers are PCI compliant before processing credit card payments.

Failure to provide proof of being PCI compliant (called an Attestation of Compliance) will result in a fine per payment card transaction from your bank.

Learn more about PCI DSS annual validation criteria

Benefits of PCI ASV scanning

Conducting vulnerability scans provides valuable information that supports efficient patch management and other security measures that improve the security of the CDE (cardholder data environment).

Although firewalls are designed to keep malicious actors out of your networks, they must leave specific ports open for web, email, FTP and other Internet-based services, leaving you vulnerable to exploitation.

Vulnerability scans can help identify these weaknesses, informing your security practices.

How do PCI ASV scans work?

Scanning tools essentially run a series of if-then scenarios designed to detect system settings and the tell-tale signs of vulnerabilities. A completed scan will provide a logged summary of alerts for you to act on.

To pass an ASV scan, all items listed as critical, high-risk or medium-risk (or with a CVSS score of 4.0 or higher), and specific findings that are considered an ‘automatic failure’, must be either remediated or disputed by the organisation.

Learn more about our PCI DSS compliance solutions

SAVE 25%