/
/
What Is An Approved Scanning Vendor?

What Is An Approved Scanning Vendor?

Performing external vulnerability scanning of business networks and services is vital to protecting an organization, as it identifies security weaknesses and exploitable vulnerabilities, and implements steps to remediate issues and manage risk effectively. For organizations subject to PCI DSS compliance, external scans must be performed by an Approved Scanning Vendor (ASV) and pass at least quarterly to maintain compliance. MegaplanIT is an Approved Scanning Vendor, supporting global customer locations.

Share

What is an ASV?

As defined by the PCI SSC, an ASV is a company approved by the PCI SSC to conduct external vulnerability scanning services. The PCI SSC requires ASV companies to meet a set of ASV Qualification Requirements, spanning business requirements, service capabilities, personnel qualifications, administrative requirements, and service requalification. As an ASV, MegaplanIT undergoes rigorous testing of its ASV services, demonstrating that its services meet or exceed detection and capability requirements defined by the PCI SSC’s ASV Program and Qualification Requirements.

What are the ASV Scan Requirements for Customers?

Carrying out ASV scans is a fundamental task in ensuring network security. For those new to the procedure, it is crucial to understand that external vulnerability scans must adhere to the following stipulations:

  • They should be conducted at least once every three months.
  • They must be performed by a company certified as an Approved Scanning Vendor (ASV) by the PCI Security Standards Council (PCI SSC).
  • Scans should be comprehensive, covering all system components within the scope of the PCI DSS.
  • Customers should remediate all vulnerabilities identified by the scans and re-scan the system until it passes the ASV scan.
  • After every scan, customers should submit a scan report to their acquirer or payment brand.
  • Scans should include both IPv4 and IPv6 IP addresses, as well as any other necessary unique identifiers for your organization’s systems.
  • Any changes in the system or network configuration or any other changes that could impact security must be followed by a new vulnerability scan.

Where do I start?

Customers first need to engage with an ASV Company. MegaplanIT’s streamlined and positive onboarding process has successfully transitioned customers of all sizes to our ASV services platform. Our ASV Portal and the team have helped seasoned organizations, as well as those stepping into PCI DSS compliance for the first time. The MegaplanIT team’s deep knowledge and experience with the ASV process enables us to provide a higher level of quality and support for our customers, providing more rapid responses to potential scanning issues and minimizing false positives.

Common Challenges

ASV scanning is a critical control that can make or break an organization’s compliance status. ASV customers need reliable, consistent, and timely support, to avoid delays with the completion of passing scan reports. Building on our industry experience we have implemented processes to address common challenges that organizations face in the ASV space:

  • Customer Support – We are more than a scan engine or portal. Our team understands ASV. We help organizations navigate past historical pain points to an understandable, repeatable scan experience.
  • Scan Disputes & False Positives – Our team provides clear guidance on the remediation required, as well as methods to quickly address scan disputes or potential false positives.
  • Scan Setup – Our team works with your organization to understand scan target requirements and scan schedules that reduce impact during peak production cycles. We can also work with you to schedule more frequent scans than the quarterly minimum, to provide both greater assurance and a potential time buffer during situations that may require extended time to remediate specific vulnerabilities.
  • Re-scans – Our ASV Portal simplifies the re-scan process for customers that have remediated identified issues by allowing you to target a single IP or a few IP’s rather than doing a full rescan.

Conclusion

At MegaplanIT, we proactively anticipate customer needs in a wide range of security and compliance areas and respond swiftly and effectively. We are constantly working to improve the process of ASV attestation. Our aim is to make it as simple and painless as possible. Both new and existing customers can rely on us for a timely and consistent ASV experience. Contact us today. Learn how our ASV services and dedicated customer team can enhance your compliance efforts, allowing you to concentrate on your business’s core areas.

Looking for a knowledgeable and trusted partner for your cybersecurity and compliance efforts? We’re Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Subscribe to Our Newsletter

ON WATCH, ALL THE TIME

Featured Articles

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?