Approved scanning vendor (ASV)
So you’re required to test your systems and network through vulnerability scanning to reach PCI DSS compliance. (Learn about PCI Scanning Requirements.) Before you choose your scanning vendor, you should know that not all scanning vendors are alike. Let me explain the best attributes you should look for when you choose your new vulnerability scanning partner.
SEE ALSO: Picking Your Vulnerability Scanner: The Questions You Should Ask
Before you do anything, make sure your scanning vendor is in good standing on the PCI Council’s Approved Scanning Vendor (ASVs) list. Businesses on this list undertake extensive testing that ensures their scanners (and employees running those scans) are top-of-the-line. The tests cover how potential Approved Scanning Vendors handle scan requests from their customers, perform scans, and report scans.
Here are some things to look for in an approved scanning vendor:
1. A system for tuning scan engines. Many network scan vendors provide affordable scanning on the surface, but after considering the time you spend resolving false positives, scan prices quickly add up. False positives hinder progress, but there is a fine line between tuning a scan engine for false positives and allowing vulnerabilities to pass the scan. A good approved scanning vendor has an ongoing system for tuning scan engines to produce accurate results without bogging down your system with false positives. They are always listening to customer feedback and watching the threat landscape to ensure their scanning customers receive the best without additional heartburn.
2. Customer support. 24/7 dedicated support is essential to a successful vulnerability scanning program. Having immediate answers to vulnerability questions can potentially save merchants from future data breaches.
3. Staff experience. Having experience behind a vulnerability scan is important to getting the best recommendations about your unique and individual network environments. For example, SecurityMetrics has been an Approved Scanning Vendor for over 10 years, and most of its in-house support staff has 4+ years of experience in vulnerability remediation, including CISSP professionals overseeing day-to-day scanning.
4. Manual verification of scan vulnerabilities. Agents manually verify vulnerabilities to ensure scan result accuracy. There will be times when you are not sure a particular vulnerability fits, or is accurate. Experienced support staff should be available to look at the whole picture, listen to your dispute, take necessary evidence, and begin manual verification. This is not a penetration test, but an excellent way to see if a particular external vulnerability is valid. If the vulnerability is valid, the support agents should show you how they tested for it. It will remain a failing item that must be fixed in order to achieve compliance. If it is not valid, the support staff will have the vulnerability disputed as a false positive.
5. Unlimited scans and rescanning. Does it surprise you that some Approved Scanning Vendors detect over 22,000 vulnerabilities per day? Because new vulnerabilities are identified daily, organizations are encouraged to regularly scan their systems. Paying for rescanning adds up, but a good approved scanning vendor will rescan at no cost.
6. Comprehensive scan engines running latest technology. High-profile vulnerabilities like GHOST and POODLE are just the tip of the iceberg. The National Vulnerability Database estimates an average of 19 new vulnerabilities are reported per day. That’s why utilizing the best scanning technology available is crucial to an accurate scan.
7. Ability to schedule scans. Being able to schedule scan frequency on appropriate IP addresses and domain names is essential for your security…and your sanity. Your environment is always changing and you want to make sure your security is up to snuff. Make sure you stay in compliance by scanning quarterly and after any significant change in your network or website (like a new firewall, or product upgrade). You should have the ability to rescan and see if those changes have introduced any new vulnerabilities into your environment. If not, it’s smooth sailing. If so, your friendly support is always there to help resolve those vulnerabilities.
SEE ALSO: Perimeter Scan Vs. External Vulnerability Scan
8. Engines configured to run light on systems. Scans shouldn’t overtake and bog down your card processing environment. You shouldn’t be restricted to only scan during the midnight hours. Make sure your vendors scans are able to run during normal business operations, without affecting the speed of your network. With that said, many businesses still choose to run their scans in the evening. Being able to choose when you schedule your scans means: your scan, your schedule.
9. Not in remediation. If you head on over to the PCI SSC Approved Scanning Vendor list, you’ll see a few companies listed in red. Red = remediation. Being in remediation means the company has not met all of the current ASV Qualification Requirements. This status may result from failure to comply with any number of applicable ASV Qualification Requirements, but if your ASV is in remediation, they have only so long to remediate until they fall off the list. *Note: If you are required to run external scans, you must have your scans run by an Approved Scanning Vendor per PCI DSS requirement 11.2..
10. Full PCI service. A good Approved Scanning Vendor doesn’t settle with base PCI DSS requirements like vulnerability scanning, but goes above and beyond to ensure accurate compliance and comprehensive security. There’s lots more that should go into your data security, like penetration testing, employee training, and Self-Assessment Questionnaires.
I hope this list helps you understand all the important aspects to look for when choosing a scanning partner! Looking for a vendor that meets all these requirements?
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.