PCI-DSS ASV Vulnerability Scanning

As part of Requirement 11.2 of the DSS, it is required that all system components, such as servers, virtual servers, applications, firewalls, routers, etc., included in or connected to the cardholder data environment are assessed for vulnerabilities at least quarterly and after any significant changes.

In practice, we find that vulnerabilities expected to have been addressed by internal teams or external suppliers, can still remain after remediation has been attempted. This can leave a long window of exposure (12 weeks) if organisations work to the minimum requirement of quarterly scans. It is for this reason that MTI recommends a monthly testing regime as opposed to the minimum quarterly one.

Generally, quarterly test reports must be presented to your acquiring bank; however, you must follow your payment card company's compliance reporting requirements. There must be no vulnerabilities in these reports that would cause a PCI scanning failure.

External vulnerability testing must be performed by an Approved Scanning Vendor (ASV).

Internal vulnerability scanning, network penetration testing, web application security testing and wireless testing do not need to be undertaken by an ASV; however, they do need to be conducted by individuals who are experienced in penetration testing and are independent. The MTI penetration testing team have the skills and experience to conduct these assessments on behalf of our clients, as can be demonstrated by our membership of the UK Government's CHECK Scheme, the independent CREST scheme (Council of Registered Ethical Security Testers) and the PCI QSA scheme.

Usually we only need a list of the IP address ranges in which you have system components associated with your cardholder environment. If you are operating domain based virtual hosting it is particularly important to include the host domain names of any and all virtual servers (e.g. multiple web sites on the same IP address) as these can have their own unique set of vulnerabilities. Once we have this and your written consent, we can begin testing.

Call our team today to discuss your situation and we'll make the process of scoping and pricing the ASV test easy for you.

Once the scope of the test has been finalised, we will agree with you a schedule of monthly or quarterly assessment dates and the source IP addresses from which testing will originate. You will need to inform us of who in your organisation is to receive the final test report and once this is agreed, we will commence the scanning on the date that was mutually agreed and your report will typically follow within 5 days of the test ending.

After the automated and manual testing has been completed, a report of your compliance will be provided in the approved PCI format that you can submit to your acquiring bank, which provides trending information, metrics and a whole range of other features that enable you to prioritise and monitor your remediation plan.

Optionally we also over a monthly or quarterly debriefing service using a secure conferencing facility and a desktop sharing application, whereby a CHECK qualified consultant can talk you through all of the issues that have been found and their impact, explain why new issues may have been introduced and why fixed issues may not have been fixed as intended.