Business Solutions
Enterprise Solutions
Services
Case Studies
About us
Partners
Blog
Contact Us
Business Solutions
Cyber Security
Security Awareness & Training
Networking
View all business solutions >
Cyber Security

Discover our cyber security solutions

Penetration Testing
Security Assessment
Application Security
Next Generation Firewall as a Service
Secure Identity & Access Management
Web, Email & Endpoint Security
Threat Detection & Response
View all cyber security solutions >
Security Awareness & Training

Discover our security awareness & training solutions

Phishing Awareness, Prevention & Response
vCISO as a Service
Digital Exposure
View all security awareness & training solutions >
Networking

Discover our networking solutions

Secure SD-WAN
Secure Office Network
Cloud Connectivity
Secure Remote Working
Network Automation
View all networking solutions >
Enterprise Solutions
Cyber Security
Networking
Automation
View all enterprise solutions >
Cyber Security

Discover our cyber security solutions

Penetration Testing
Red Teaming
Governance Risk & Compliance
Application Security
Authentication & Access Control
Threat Detection & Event Management
Phishing Awareness, Prevention & Response
View all cyber security solutions >
Networking

Discover our networking solutions

Network Assessment
Network Security
Data Centre & Cloud
Secure SD-WAN
Campus Network
View all networking solutions >
Automation

Discover our automation solutions

Automated Managed Services
Network & Infrastructure Automation
Automated Cyber Security Compliance
Automation Services
Modern Application Integration & Development
View all automation solutions >
Services
Advisory Services
Professional Services
Automated Managed Services
View all services >
About Us
Our Story
Our Team
Why Dragonfly?
Careers
Partners
Cisco
Rapid7
Cisco Meraki
Darktrace
Snyk
Fortinet
Palo Alto Networks
HCL Technologies
Unisys Stealth
F5
KnowBe4
Microsoft
View all partners >
Business Solutions
Enterprise Solutions
Services
Case Studies
About Us
Partners
Blog
Contact Us

Business Solutions

Cyber Security
Security Awareness & Training
Networking
View all business solutions >

Discover our cyber security solutions

Penetration Testing
Security Assessment
Application Security
Next Generation Firewall as a Service
Secure Identity & Access Management
Web, Email & Endpoint Security
Threat Detection & Response
View all cyber security solutions >

Discover our security awareness & training solutions

Phishing Awareness, Prevention & Response
vCISO as a Service
Digital Exposure
View all security awareness & training solutions >

Discover our networking solutions

Secure SD-WAN
Secure Office Network
Cloud Connectivity
Secure Remote Working
Network Automation
View all networking solutions >

Enterprise Solutions

Cyber Security
Networking
Automation
View all enterprise solutions >

Discover our cyber security solutions

Penetration Testing
Red Teaming
Governance Risk & Compliance
Application Security
Authentication & Access Control
Threat Detection & Event Management
Phishing Awareness, Prevention & Response
View all cyber security solutions >

Discover our networking solutions

Network Assessment
Network Security
Data Centre & Cloud
Secure SD-WAN
Campus Network
View all networking solutions >

Discover our automation solutions

Automated Managed Services
Network & Infrastructure Automation
Automated Cyber Security Compliance
Automation Services
Modern Application Integration & Development
View all automation solutions >

Services

Advisory Services
Professional Services
Automated Managed Services
View all services >

About Us

Our Story
Our Team
Why Dragonfly?
Careers

Partners

Cisco
Rapid7
Cisco Meraki
Darktrace
Snyk
Fortinet
Palo Alto Networks
HCL Technologies
Unisys Stealth
F5
KnowBe4
Microsoft
View all partners >
Cyber Security

How To Choose A PCI Approved Scanning Vendor

Lucy Khayat
May 28, 2019

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), merchants and service providers are required to have external vulnerability scans performed on their systems every quarter. These scans must be performed by an Approved Scanning Vendor (ASV). But what is an Approved Scanning Vendor?  How does your business select the correct one? In this article, we answer these questions to assist your business to the most out of imperative PCI DSS scans.

First, let’s take a step back and look at the PCI DSS requirements for vulnerability scanning. PCI DSS Requirement 11.2 requires that merchants and service providers perform both internal and external vulnerability scans on a quarterly basis. Scans must also be performed when there are changes made to the network.

When it comes to internal scans, the choice is to either using a qualified internal staff member or hiring an external third party. If your business chooses to use a staff member, this person cannot also be responsible for securing the systems that are being tested. Your business could engage an internal staff member to perform the scans that are required after changes are made to the network.

Merchants and service providers have less flexibility when it comes to quarterly external vulnerability scans. These must be performed by an Approved Scanning Vendor (ASV). An ASV is a third-party solution provider that is approved by the Payment Card Industry Security Standards Council (PCI SCC) to perform vulnerability scans of Internet-facing environments for the purposes of validating compliance to DSS requirements.

To become an ASV, security solution providers must undergo a three-part qualification process. The company itself must be qualified, as well as the employees who will be responsible for performing scans, and the company’s scanning solution must be security tested. ASVs must be re-approved by the PCI Security Standards Council every year. The PCI SCC is careful to note that it does not endorse any particular ASV.

Here are some factors to consider as you choose an ASV

Qualification as an ASV. Every time you engage with a provider, check the PCI SCC website to make sure that the company is still a qualified ASV. If the company has failed to become re-approved as an ASV, the scanning services you pay for will not meet PCI DSS’s requirement.

  • Cost. The fees associated with an ASV’s scanning services are negotiated between the ASV and the customer. While it makes sense to compare the prices of a couple of different ASVs, don’t forget to consider the value-added services that are included in those prices. For example, does the provider offer dedicated, 24/7 customer support? Are rescans included at no additional cost? Can you rely on the ASV for additional PCI-related services?
  • Experience and accolades. Large companies routinely rely on vulnerability scanning and application security testing outside of any regulatory requirements to ensure that their systems are protected against hackers. Look for an ASV that has a long-standing history delivering these services and is well recognized by analyst firms and other third parties for their work in the area.
  • A well-tuned scan engine. The cost of a vulnerability scan can quickly escalate if your team has to spend valuable time resolving false positives. Ask your prospective ASV about false-positive rates and the processes they have in place to keep scan engines adequately tuned to minimize false positives.
  • Customer-scheduled scans. While the ASV must control and manage the scan solution, the PCI SCC allows customers to remotely start scans (for example, via a web portal), schedule scans and identify the IP addresses to be scanned. These self-service capabilities help you to reduce the impact on business operations. Scheduling quarterly scans also makes it easier to ensure that you remain compliant.
  • A robust scan engine. Quarterly vulnerability scans is about much more than ticking a checkbox on a regulatory requirement. The scan should provide assurance that you are running a secure environment and that vulnerabilities are being remediated. Choose an ASV with robust scan engines that are continually updated to detect the latest vulnerabilities.

Ideally, the ASV you choose will be a partner that you can turn to quarter after quarter for your PCI scans, as well as for general security concerns. After all, the spirit of PCI DSS is not to create another to-do list for you, but to improve your overall security posture. By doing so, you protect both your business and your customers. Contact us to discuss how we can assist you with your PCI needs today.

Explore more topics

Dragonfly Updates
Automation
Networking
Cyber Security

More Blogs

Dragonfly Team

November 24, 2021

5 Things You Need to Know About Managed Threat Detection & Response

Branko Ninkovic

October 18, 2021

The Anatomy of a Phishing Attempt - auDA Email Scam

Branko Ninkovic

July 2, 2020

Palo Alto Vulnerability - Patching and Software Updates

Want to learn more?
Join our mailing list

Business Solutions
Cyber Security
Penetration TestingSecurity AssessmentApplication SecurityNext Generation Firewall as a ServiceSecure Identity & Access ManagementWeb, Email & Endpoint SecurityThreat Detection & Event Management
Security Awareness & Training
Phishing Awareness, Prevention & ResponsevCISO as a ServiceDigital Exposure
Networking
Secure SD-WANSecure Office NetworkCloud ConnectivitySecure Remote WorkingNetwork Automation
Enterprise Solutions
Cyber Security
Penetration TestingRed TeamingGovernance Risk & ComplianceApplication SecurityAuthentication & Access ControlThreat Detection & Event ManagementPhishing Awareness, Prevention and Response
Networking
Network SecurityData Centre & CloudSecure SD-WANCampus Network
Automation
Automated Managed ServicesNetwork & Infrastructure AutomationAutomated Cyber Security ComplianceAutomation ServicesModern Application Integration & Development
Services
Advisory ServicesProfessional ServicesAutomated Managed Services
Company
Our StoryWhy Dragonfly?Our TeamCareersPartnersCase StudiesContact UsBlog
2005 - 2021 © Dragonfly Technologies Pty Ltd
Privacy