What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. It is a compliance scheme that aims to secure credit and debit card transactions against data theft and fraud. Compliance with the standards is a requirement for any business that processes credit or debit card transactions.
How does this relate to vulnerability scanning?
As part of the standards (PCI DSS Requirement 11.2.2), a company must perform vulnerability scanning of its estate (both internally and externally).
What is an ASV and what do they do?
An ASV is an organization (vendor) which operates a set of security services and tools (collectively an “ASV scan solution”) that is used to conduct external vulnerability scanning services to validate adherence with PCI DSS's external scanning requirements .
Why is an ASV vendor needed?
The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.
Is AppCheck an ASV (accredited vendor)?
No, AppCheck is not a registered ASV. AppCheck as a company does not operate as an ASV providing the surrounding services.
Is AppCheck an ASV scan solution?
Yes, AppCheck as a platform can be used as the scanning solution under PCI DSS by an accredited ASV. Since PCI DSS does not mandate that an ASV must use their own scan solution, AppCheck can be used as a scan solution by any accredited ASV vendor.
Can AppCheck produce me an ASV report?
AppCheck as a platform has the capability to produce ASV reports, but this functionality is only available to Approved Scanning Vendors (ASVs) who use the AppCheck platform, and who are accredited/approved with PCI to use AppCheck as their scanning solution.
AppCheck as a company is not permitted to produce or issue ASV reports under any other arrangement.
AppCheck can produce vulnerability scan reports of your estate that you can use to remediate discovered issues and prepare for an ASV scan; however such reports may NOT be submitted as ASV scan reports for the reasons outlined above.
Can my existing ASV use AppCheck as their scanning solution?
ASVs must use the scanning solution that they submitted their application for approval as an ASV in relation to and which they are authorised to use under their accreditation. Existing ASVs would need to re-apply for accreditation to PCI if switching scanning platform/solution.
Where can I find a list of ASVs under PCI DSS?
Please see https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
What else should I consider?
For the purposes of PCI a company will generally need to work with a Qualified Security Assessor (QSA), to establish the scope of their estate and hence the scope of scanning.
Comments
0 comments
Article is closed for comments.