The ASV Program Guide describes the various responsibilities for all parties involved in the PCI ASV Scanning process. There are a number of parties, but here we’re just concentrating on two. They are the scan customer (you) and the Approved Scanning Vendor (Ambersail).
The following text is taken from the official ASV program guide, which you can download from here if you’d like to read the full document.
The Scan Customer
Scan customers are responsible for the following:
- Maintaining compliance with the PCI DSS at all times, which includes properly maintaining the security of their Internet-facing systems.
- Selecting an ASV from the list of Approved Scanning Vendors from the Council’s website to
- conduct quarterly external vulnerability scanning according to PCI DSS Requirement 11.2.2 .
- Perform due diligence in the ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s level of trust to perform scanning services.
- To the degree deemed appropriate by the scan customer, monitor Internet-facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained.
- Defining the scope of external vulnerability scanning, which includes:
- Providing the IP addresses and/or domain names of all Internet-facing systems to the ASV so the ASV can conduct a full scan.
- Implementing proper network segmentation for any excluded external-facing IP addresses.
- Ensuring that devices do not interfere with the ASV scan, including:
- Configuring active protection systems so they do not interfere with the ASV’s scan, as required by the ASV program guide.
- Coordinating with the ASV if the scan customer has load balancers in use.
- Coordinating with the scan customer’s Internet service provider (ISP) and/or hosting providers to allow ASV scans.
- Attesting to proper scoping and network segmentation (if IP addresses are excluded from scan scope) within the ASV solution.
- Providing sufficient documentation to the ASV to aid the ASV’s investigation and resolution of disputed findings, such as suspected false positives, and providing related attestation within an ASV solution.
- Reviewing the scan report and correcting any noted vulnerabilities that result in a non-compliant scan
- Arranging with ASV to re-scan any non-compliant systems to verify that all high severity and medium severity vulnerabilities have been resolved, to obtain a passing quarterly scan.
- Submitting the completed ASV scan report to the scan customer’s acquirer or payment brands, as directed by the payment brands.
- Providing feedback on ASV performance in accordance with the ASV Feedback Form.
Approved Scanning Vendors
An ASV is an organization with a set of security services and tools (“ASV scan solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.
The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. ASVs are responsible for the following:
- Performing external vulnerability scans in accordance with PCI DSS Requirement 11.2.2, and in accordance with this document and other supplemental guidance published by the PCI SSC.
- Maintaining security and integrity of systems and tools used to perform scans.
- Making reasonable efforts to ensure scans:
- Do not impact the normal operation of the scan customer environment.
- Do not penetrate or intentionally alter the customer environment.
- Scanning all IP ranges and domains provided by scan customer to identify active IP addresses and services.
- Consulting with the scan customer to determine if IP addresses found, but not provided by the scan customer, should be included.
- Providing a determination as to whether the scan customer’s components have met the scanning requirement.
- Providing adequate documentation within the scan report to demonstrate the compliance or noncompliance of the scan customer’s components with the scanning requirements.
- Submitting the ASV Scan Report Attestation of Scan Compliance cover sheet (called hereafter Attestation of Scan Compliance) and the scan report in accordance with the acquirer or payment brand instructions.
- Including required scan customer and ASV company attestations in the scan report as required by the ASV program guide.
- Retaining scan reports and related work products for 2 years, as required by the Validation Requirements for Approved Scanning Vendors.
- Providing the scan customer with a means for disputing findings in the scan report.
- Maintaining an internal quality assurance process for ASV efforts in accordance with this document and other supplemental guidance published by the PCI SSC.