usd AG Again Accredited as Worldwide Approved Scanning Vendor (ASV)

9. June 2021

“A few days ago we again received the worldwide accreditation as Approved Scanning Vendor (ASV) with our usd PCI DSS Platform and our ASV Scanning Services,” Andreas Duchmann, Managing Director of usd AG, is pleased to announce. “This means that we have consistently passed the international ASV qualification for 16 years. This is an important proof of our competence and quality in performing automated, technical vulnerability scans.”

As part of their PCI DSS certification, companies that process, store or forward credit card data must check their affected IT systems for vulnerabilities with an external scan on a quarterly basis. These scans may only be performed by an ASV that is audited, accredited, and on the official list of approved scanning vendors by the PCI Security Standards Council (PCI SSC); results from non-accredited suppliers are effectively revoked by the PCI SSC.

Annual Accreditation

All ASV organizations must undergo annual re-accreditation with the PCI SSC. In doing so, relevant suppliers must meet or exceed the requirements from the Qualification Requirements for Approved Scanning Vendors. The review is based on a structured, transparent process and requires, among other things, participation in required training sessions, an audit of the ASV staff and, most importantly, a successful test result in the PCI SSC’s ASV Lab Scan Test.

Scanning Solution Is Tested in Depth

Stephan Neumann, Head of usd HeroLab, who accompanied the accreditation of the scanning solution, reports, “The review of the scanning solution does not only look at processes and organizations. Our usd PCI DSS Platform was tested in the ASV validation lab of the PCI SSC as part of a vulnerability analysis that mimics reality. These are simulated network environments with vulnerable hosts and network devices in which the scanning solution has to detect, identify and report all technical vulnerabilities within one day. In some cases, these are complex vulnerabilities that can only be found with the best tools based on years of experience.”

This ASV Lab Scan Test verifies that the submitted scan solution meets the current technical requirements: all vulnerabilities must be identified, correctly assessed and adequately documented in the scan test report. This is the only way to ensure that actual threats to clients will be correctly identified later.

ASV – More Than Just a Scan

The service provided by an Approved Scanning Vendor goes beyond a purely technical scanning solution. At least two ASV staff members are also responsible for performing and managing the PCI scanning services. The use of these experts, trained and accredited by the PCI SSC, ensures that scan results are separately reviewed and evaluated. In dialog with the client, ASV staff also explain open questions about findings and point out sensible recommended measures for remediation.

The Importance of Quality

Another important requirement as part of the accreditation process is the review of the quality assurance process. This process ensures that the following steps are adhered to before a scan report is submitted to the client: ASV scan results are analyzed for inconsistencies, false positives are verified, report confirmations are recorded, and the final report is reviewed.

“We set high quality standards for our PCI DSS Platform and are constantly developing it. When selecting our colleagues responsible for the ASV scans, we also emphasize experience in manual security analyses. This enables them to qualitatively evaluate the scan results and provide our clients with the best possible advice,” describes Andreas Duchmann.


Would you like support with your PCI DSS certification? Get in touch.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...

Categories

Categories