Approved Scanning Vendor Overview

Performing external vulnerability scanning of business networks and services is vital to protecting an organization, as it identifies security weaknesses and exploitable vulnerabilities, and implements steps to remediate issues and manage risk effectively. For organizations subject to PCI DSS compliance, external scans must be performed by an Approved Scanning Vendor (ASV) and pass at least quarterly to maintain compliance. MegaplanIT is an Approved Scanning Vendor, supporting global customer locations.

What is an ASV?

As defined by the PCI SSC, an ASV is a company approved by the PCI SSC to conduct external vulnerability scanning services. The PCI SSC requires ASV companies to meet a set of ASV Qualification Requirements, spanning business requirements, service capabilities, personnel qualifications, administrative requirements, and service requalification. As an ASV, MegaplanIT undergoes rigorous testing of its ASV services, demonstrating that its services meet or exceed detection and capability requirements defined by the PCI SSC’s ASV Program and Qualification Requirements.

What are the ASV Scan Requirements for Customers?

Carrying out ASV scans is a fundamental task in ensuring network security. For those new to the procedure, it is crucial to understand that external vulnerability scans must adhere to the following stipulations:

• They should be conducted at least once every three months.
• They must be performed by a company certified as an Approved Scanning Vendor (ASV) by the PCI Security Standards Council (PCI SSC).
• Scans should be comprehensive, covering all system components within the scope of the PCI DSS.
• Customers should remediate all vulnerabilities identified by the scans and re-scan the system until it passes the ASV scan.
• After every scan, customers should submit a scan report to their acquirer or payment brand.
• Scans should include both IPv4 and IPv6 IP addresses, as well as any other necessary unique identifiers for your organization’s systems.
• Any changes in the system or network configuration or any other changes that could impact security must be followed by a new vulnerability scan.

Where do I start?

Customers first need to engage with an ASV Company. MegaplanIT’s streamlined and positive onboarding process has successfully transitioned customers of all sizes to our ASV services platform. Our ASV Portal and the team have helped seasoned organizations, as well as those stepping into PCI DSS compliance for the first time. The MegaplanIT team’s deep knowledge and experience with the ASV process enables us to provide a higher level of quality and support for our customers, providing more rapid responses to potential scanning issues and minimizing false positives.

Common Challenges

ASV scanning is a critical control that can make or break an organization’s compliance status. ASV customers need reliable, consistent, and timely support, to avoid delays with the completion of passing scan reports. Building on our industry experience we have implemented processes to address common challenges that organizations face in the ASV space:

• Customer Support – We are more than a scan engine or portal. Our team understands ASV. We help organizations navigate past historical pain points to an understandable, repeatable scan experience.
• Scan Disputes & False Positives – Our team provides clear guidance on the remediation required, as well as methods to quickly address scan disputes or potential false positives.
• Scan Setup – Our team works with your organization to understand scan target requirements and scan schedules that reduce impact during peak production cycles. We can also work with you to schedule more frequent scans than the quarterly minimum, to provide both greater assurance and a potential time buffer during situations that may require extended time to remediate specific vulnerabilities.
• Re-scans – Our ASV Portal simplifies the re-scan process for customers that have remediated identified issues by allowing you to target a single IP or a few IP’s rather than doing a full rescan.

Conclusion

At MegaplanIT, we proactively anticipate customer needs in a wide range of security and compliance areas and respond swiftly and effectively. We are constantly working to improve the process of ASV attestation. Our aim is to make it as simple and painless as possible. Both new and existing customers can rely on us for a timely and consistent ASV experience. Contact us today. Learn how our ASV services and dedicated customer team can enhance your compliance efforts, allowing you to concentrate on your business’s core areas.