ASV scanner is a hardware and software complex that scans the connection points of an organization’s internal network to Internet resources.
Scanning is performed according to the requirements of the PCI DSS standard. Organizations that provide such a service must have the required status (PCI ASV).
ASV scanning is mandatory for all organizations that accept bank cards for payment – for example, offline and online stores.
ASV scanning is mandatory for all organizations that accept bank cards for payment — for example, offline and online stores.
PCI DSS compliance
The stages of scanning
The scanning procedure is conditionally divided into several stages.
- The customer prepares the enterprise infrastructure for scanning. Identifies a part of the network infrastructure that belongs to the scope of the PCI DSS standard.
- On the appointed day, the auditor conducts an audit in accordance with the requirements of the standard. Uses specialized equipment that is certified for verification.
- At the end of the process, the client is provided with an appropriate document on the results of the audit. It also provides recommendations on how to fix vulnerabilities.
Scanning principle
The ASV scanner is provided as a subscription service. The customer registers on the service provider’s website and chooses one of the service options.
In the next step, the client sets a schedule for scanning. As a rule, the procedure is performed once a quarter. Specify the IP address of the site (if it is white) or the domain name. After that, the customer pays for the service.
The scanner checks the specified addresses for vulnerabilities, the degree of risk and other parameters that are prescribed in the PCI DSS standard. If vulnerabilities are found, the customer will be provided with a report on each problem with a detailed description of the risk, degree of threat, CVSS assessment, CVE code and how to fix the problem.
CVSS is an open-source industry standard, based on which the risk level of each vulnerability is assessed. A CVSS score is a value that is assigned to a vulnerability depending on the threat level.
CVE (Common Vulnerabilities and Exposures) is a global list of threats and vulnerabilities. A unique number (CVE code) is assigned to each record.
The report is valid for 90 calendar days. During this period, the client is obliged to eliminate the errors found and re-scan. If there are no vulnerabilities, then a certificate of compliance of the information system with PCI DSS requirements is issued.