Scans help identify vulnerabilities and misconfigurations in web sites, applications, and supporting networks with Internet-facing (IP) addresses. These scans are required in accordance with PCI DSS Requirement 11.2.

Scan results provide valuable information that supports efficient application, network and operating system configuration to improve protection against Internet attacks.

Typically, organisations that need to perform the ASV scans need to complete the relevant Self Assessment questionnaire. For this reason, we offer a complete ASV and Self Assessment package.

Our annual package consist of quarterly ASV scans and full assistance from our team of experienced Qualified Security Auditors (QSAs) when understanding and completing compliance documentation. The assistance is invaluable when you come to complete the SAQ. You will be able to pick up the phone and speak directly to our audit team.

Our ASV clients value our comprehensive and approachable style. Right from initial contact, we aim to assist clients with the correct course of action to get PCI compliant - even if it means that our services are not required.

Our self assessment and ASV scanning service applies to both Merchants and Service Providers. Although both types of organisation have to comply with the PCI DSS, the methods of demonstrating compliance are slightly different for each. Please see below for Merchant and Service Provider considerations...

Feel free to contact us to discuss any aspect of your security or compliance programme.

Some useful steps for Merchants when self assessing and ASV scanning:

• If you work with an Acquirer, you should have received a request from them to validate PCI compliance. Many Acquirers include advice on what Merchant level you are and what SAQ to complete.
• For Merchants, satisfying your Acquirer's requests is paramount. They will be working with payment card brands (Mastercard, Visa, Amex, JCB & Discover) to track the PCI compliance progress of their Merchant customer base. Keeping your Acquirer up to date on progress is therefore highly important.
• If you have not been told what your Merchant level is - do not worry. It is based on the number of transactions that you process. The rules are set by individual card brands - but are very similar for each. Contact us directly for advice on this.
• Once you understand what level of Merchant that you are, you can determine how to validate compliance (unless your Acquirer has told you directly). Tier 3 and 4 Merchants validate using a Self Assessment Questionnaire. You can find out more about the SAQ at http://www.pcisecuritystandards.org.
• There are 4 types of SAQ: A, B, C and D. Each is based on the PCI Data Security Standard. The SAQ that you opt to complete is based on how you store, process or transmit card data. It is worth understanding your arrangements before reviewing SAQ's.
• Some SAQ's are more complex than others. This is to ensure you have fully assessed all your card processing environment. In several of the SAQs you will find ASV scan requirements in section 11.2. Note that ASV scanning only forms a small part of your overall compliance objective.
• ASV scanning targets network entry points into your cardholder data environment (CDE). This is normally represented by one or more TCP IP addresses that are visible from the public internet. It can also include URL or web site references for sites that handle card data. You need to compile a list of these addresses - as these will be supplied to us for inclusion into the scan.
• Scanning needs to happen once a quarter. You will need to demonstrate that you have no serious vulnerabilities (as measured by us as an ASV). Should weaknesses be identified, they need to be fixed and a rescan performed to demonstrate that the problems are no longer there.
• Scan report findings are presented in 2 reports. An executive summary report will highlight the main features and findings of the scan. An accompanying report - the detailed report - will list the issues and suggested fixes.
• As previously stated, the scans feed directly into your SAQ submission. Once the SAQ is completed, the document needs to be submitted to your Acquirer. They may have told you submit on a particular date. A very important point to note is that you must complete the SAQ accurately. If there are sections that are not compliant - mark them as such and let your Acquirer know what you are going to do to fix the problem and when you are going to perform the work. Transparency is key.

Some useful steps for Service Providers when self assessing and ASV scanning:

• You may have received a request from your Merchant(s) to validate PCI compliance. Your PCI compliance feeds directly into the Merchant's PCI compliance.
• There are 2 levels of service provider. The level is based on the number of transactions that you store, process or transmit. If that amounts to below 300,000 card transactions you are a Tier 2 Service Provider. As a Tier 2, you self assess to validate compliance once you are confident that you meet all of the applicable requirements in your SAQ. The rules are set by individual card brands - but are very similar for each. Contact us directly for advice on this.
• Tier 2 Service Providers validate using a Self Assessment Questionnaire. You can find out more about the SAQ at http://www.pcisecuritystandards.org.
• Currently you will be expected to complete SAQ D.
• You will find ASV scan requirements in section 11.2.
• For more information on the scan process - see the ASV scan information for Merchants above.
• As previously stated, the scans feed directly into your SAQ submission. Once the SAQ is completed, an accompanying Attestation of Compliance document is normally be submitted to your Merchant. A very important point to note is that you must complete the SAQ accurately. If there are sections that are not compliant - mark them as such and let your Merchant know what you are going to do to fix the problem and when you are going to perform the work. Transparency is key.