A few days ago, usd AG once again received accreditation as an Approved Scanning Vendor (ASV) with the scanning services of the usd PCI DSS platform. This globally valid accreditation for security scans is awarded by the PCI Security Standards Council (PCI SSC) and must be renewed annually by the providers.
As part of their PCI DSS certification, companies that process, store or forward credit card data must check their affected IT systems for vulnerabilities with an external scan on a quarterly basis. These scans may only be performed by an ASV that has been vetted and accredited by the PCI SSC and is on the official list of approved scanning vendors. Results from non-accredited providers will be rejected by the PCI SSC.
usd scanning solution put to the test
When scanning solutions are reviewed, it is not just processes and organizations that are considered. The solutions are put through their paces in the PCI SSC's ASV validation lab as part of a vulnerability analysis that mimics reality. This test verifies that the submitted scanning solution meets the current technical requirements: all vulnerabilities must be identified, correctly assessed and adequately documented in the scan test report. In some cases, the review includes complex vulnerabilities that can only be found with the best tools based on many years of experience. This is the only way to ensure that actual threats to customers are correctly identified later.
Stephan Neumann, Head of usd HeroLab, accompanied the accreditation: "We are pleased to be able to continue performing ASV scans for our customers. Our scanning solution convinced again, even though the requirements from the PCI Council have been significantly increased compared to the last years. This demonstrates the quality of our automated, technical vulnerability scans."
ASV Scans according to PCI DSS v4.0 now available
In order to support you with your PCI DSS compliance proof as usual, we have adapted our scan environment so that you can decide with each scan whether it should be performed according to PCI DSS version 3.2.1 or 4.0.
If you already prove your PCI DSS compliance according to version 4.0 and accordingly need an ASV scan for a proof of compliance under v4.0, you will now be asked on our PCI DSS platform about the security of embedded payment page scripts. If you use such scripts, you will be required to securely integrate them in accordance with PCI DSS requirements from April 1st, 2025 at the latest. Since the secure integration of payment page scripts is a recommendation and not an obligation until then, we give you the opportunity to declare this as best practice in the meantime in accordance with the PCI DSS requirements.