Companies that accept, process, or store credit card data must comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS). The goal: to protect sensitive payment data as effectively as possible.
The regular vulnerability scan, known as the ASV scan, is a key part of the PCI DSS requirements. It can only be carried out by certified Approved Scanning Vendors (ASV) who are certified by the PCI Security Standards Council. This means you have experienced experts at your side who take care of the technical side of things.
However, your cooperation is also required. To ensure that the scan runs smoothly and the results are usable, you need to make certain preparations and arrangements - both on your part and in coordination with the ASV. In reality, it is often at this point that questions or misunderstandings arise.
We asked our colleague Sebastian Düringer, Managing Security Consultant and responsible for scanning services, for tips to help you make the most of your next ASV scan: What are the most common challenges and what practical tips can he offer based on his experience?
Key facts about the ASV scan:
- What is an ASV scan? An automated vulnerability scan that checks publicly accessible systems for security gaps - in other words, everything that is accessible from the Internet.
- What is being scanned? Typically, IT systems such as web applications or other infrastructure components with external access.
- How does the scan work? The scanner analyzes which services and systems are accessible via the specified IP address or domain. This information is compared with a database of known vulnerabilities. The result: a detailed scan report listing all risks found.
- How often do scans need to be performed? According to PCI DSS v4.0.1, at least quarterly. Additionally, after every significant change to your IT environment.
From Scope Definition to False Positives: 4 Tips for a Successful ASV Scan
1. How do I define the correct scope for the ASV scan?
An oftentimes underestimated issue is the correct definition of the scan scope. Which systems need to be checked? How extensive does the scan need to be? It is important to note that if relevant systems are overlooked or mistakenly excluded, the scan is considered incomplete and therefore not PCI DSS compliant.
Our expert tip: Regularly check which of your systems actually need to be included in the ASV scan, especially after infrastructure or domain changes. Consult with your IT manager and identify all relevant assets. This will allow you to define the scope appropriately and ensure that the scan is complete.
2. What to do if vulnerabilities are discovered?
Many companies fear a negative scan result. However, vulnerabilities are the rule rather than the exception - the key is how they are dealt with. This only becomes relevant, however, if vulnerabilities with a CVSS (Common Vulnerability Scoring System) rating of 4.0 or higher are identified. If these are not false positives (more on this in question 4), they must be fixed promptly, and a new scan must be performed.
Our expert tip: Make use of regular external vulnerability scans as a kind of “early warning system” to identify all vulnerabilities before the ASV scan. Also, allow for enough time to make any necessary improvements. This will ensure that you are well prepared for an ASV scan.
3. How do active firewalls (IDS/IPS) affect the scan?
Firewalls can complicate or distort scans by blocking our scanners. According to PCI DSS, the scanner must be authorized in such systems so that all accessible services can be checked for vulnerabilities. An incomplete scan report may result in rejection because not all systems could be checked.
Our expert tip: Inform your IT team in advance. If necessary, whitelist the scanning IPs so that the scanner can access all services without active blocking.
4. How do we deal with false positives?
It is not unusual for the scanner to incorrectly report a vulnerability - a false positive.
Our expert tip: Document known false positives and send them to the ASV provider so that they can be ignored or classified as irrelevant for upcoming and future scans.
„Many people see an ASV scan as nothing more than a ‘mandatory requirement’. I see it differently: when used correctly in combination with regular external vulnerability scans, it makes a decisive contribution to improving your security architecture.“
Sebastian Düringer, Managing Security Consultant at usd HeroLab and responsible for scanning services at usd AG
Are you familiar with our usd PCI DSS scanning platform?
Our platform provides targeted support for the typical challenges associated with ASV scans and offers a wide range of practical features:
- Easy planning and implementation
- Transparent results: You receive a complete overview of all relevant vulnerabilities, including technical details and specific recommendations for remediation.
- Efficient processing: Export the results directly as Jira tickets or as an Excel file to follow up internally or with service providers.
- Direct comment function: Vulnerabilities can be commented on directly within the tool - for quick coordination within the team or with our analysts.
- Easily report false positives: Highlight potential false positives directly within the platform and add a comment.
- Consulting included: Our experts are here to assist you - at no extra cost. We help you understand the scan results, find suitable solutions, and identify false positives.
Do you have questions or need assistance with your next ASV scan? Contact us anytime at pci@usd.de.
