Approved Scanning Vendor (ASV) | PCI Security Standards Council Approved

Approved Scanning Vector (ASV)

IntaForensics® consultants focus on current and impending cyber security risks, advising and supporting clients to ensure they understand the dangers and implications of a successful attack. In a world where your data is a highly sought-after commodity, making sure it is protected must be regarded as a top priority for all organisations.

What is an Approved Scanning Vector?

An ASV is an organisation or entity that is qualified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct external scanning to assess the vulnerability of a client organisation.

In partnership with the approved ASV company Qualys Inc., IntaForensics utilise the Qualys Cloud Platform to offer an ASV scanning service for PCI DSS customers. Vulnerability scanning and remediation services are delivered by IntaForensics consultants with the final attestation provided by Qualys Inc.

The purpose of the Program is to validate adherence with the external scanning requirements of PCI DSS requirement 11.2.2.

As a PCI SSC accredited Qualified Security Assessor (QSA) Company, IntaForensics are very experienced in the review of payment processing environments and the provision of relevant, focused and valued advice/recommendations.

What will the process look like?

Initial Vulnerability Scan

Data flow and network diagrams requested from customer.

Remote review prior to coming on site.

Remediation Work (If required)

Discussion of applicable SAQ level.

Review of provided information and interviews with key staff.

Review of applicable PCI DSS requirements.

ASV Attestation

Final scan submitted to Qualys inc. ASV team

Evidence requested for any false positive or reporting requirements.

Final ASV Attestation issued to customer.

ASV Scan Requirements

ASV scans are mandated for organisations based on PCI DSS requirements for external vulnerability scans. If your Self-Assessment or on site assessment has identified that requirement 11.2 of the current PCI DSS standard applies to your CDE, quarterly external scans are required.

If you are currently self-assessing against PCI DSS and are unsure if ASV scans are required, please speak to our QSA Team who can provide assistance with SAQ selection and identifying applicable requirements.

IntaForensics utilise a cloud-hosted scanning platform to perform an in-depth vulnerability scan against external hosts and perimeter firewalls of the customers Cardholder Data Environment (CDE). Once per quarter, IntaForensics specialist staff run an initial vulnerability scan against the required host addresses / domain names. Remediation requirements which score above a CVSS score 4.0 or higher will be reported to the customer to be resolved. IntaForensics will provide telephone and email support up to a maximum of 2 hours. Remediation requiring more extensive support will be delivered on a consultancy basis if required. Following remediation, a further scan is run to confirm that any remediation is effective. Once a passing PCI Scan has been reached, the scan is submitted to Qualys Inc. ASV team for attestation. This will be completed and returned within 48 hours.

5 IP addresses per quarter are comprised in the service cost, which includes the initial scan and a follow up re-scan if remediation work is required.

As regular customers of IntaForensics, I highly recommend the company for the services delivered by Damian Walton and his team. I couldn’t praise their Cyber Essentials services and support highly enough.