“A few days ago we again received the worldwide accreditation as Approved Scanning Vendor (ASV) with our usd PCI DSS Platform and our ASV Scanning Services,” Andreas Duchmann, Managing Director of usd AG, is pleased to announce. “This means that we have consistently passed the international ASV qualification for 16 years. This is an important proof of our competence and quality in performing automated, technical vulnerability scans.”
As part of their PCI DSS certification, companies that process, store or forward credit card data must check their affected IT systems for vulnerabilities with an external scan on a quarterly basis. These scans may only be performed by an ASV that is audited, accredited, and on the official list of approved scanning vendors by the PCI Security Standards Council (PCI SSC); results from non-accredited suppliers are effectively revoked by the PCI SSC.
All ASV organizations must undergo annual re-accreditation with the PCI SSC. In doing so, relevant suppliers must meet or exceed the requirements from the Qualification Requirements for Approved Scanning Vendors. The review is based on a structured, transparent process and requires, among other things, participation in required training sessions, an audit of the ASV staff and, most importantly, a successful test result in the PCI SSC’s ASV Lab Scan Test.
Scanning Solution Is Tested in Depth
Stephan Neumann, Head of usd HeroLab, who accompanied the accreditation of the scanning solution, reports, “The review of the scanning solution does not only look at processes and organizations. Our usd PCI DSS Platform was tested in the ASV validation lab of the PCI SSC as part of a vulnerability analysis that mimics reality. These are simulated network environments with vulnerable hosts and network devices in which the scanning solution has to detect, identify and report all technical vulnerabilities within one day. In some cases, these are complex vulnerabilities that can only be found with the best tools based on years of experience.”
This ASV Lab Scan Test verifies that the submitted scan solution meets the current technical requirements: all vulnerabilities must be identified, correctly assessed and adequately documented in the scan test report. This is the only way to ensure that actual threats to clients will be correctly identified later.
ASV – More Than Just a Scan
The service provided by an Approved Scanning Vendor goes beyond a purely technical scanning solution. At least two ASV staff members are also responsible for performing and managing the PCI scanning services. The use of these experts, trained and accredited by the PCI SSC, ensures that scan results are separately reviewed and evaluated. In dialog with the client, ASV staff also explain open questions about findings and point out sensible recommended measures for remediation.
The Importance of Quality
Another important requirement as part of the accreditation process is the review of the quality assurance process. This process ensures that the following steps are adhered to before a scan report is submitted to the client: ASV scan results are analyzed for inconsistencies, false positives are verified, report confirmations are recorded, and the final report is reviewed.
“We set high quality standards for our PCI DSS Platform and are constantly developing it. When selecting our colleagues responsible for the ASV scans, we also emphasize experience in manual security analyses. This enables them to qualitatively evaluate the scan results and provide our clients with the best possible advice,” describes Andreas Duchmann.
Would you like support with your PCI DSS certification? Get in touch.