Approved Scanning Vendors and PCI Certificates

Approved Scanning Vendors (ASV)

ASVs are companies certified by the PCI SSC to help implement certain PCI DSS requirements. They validate a company’s compliance with the PCI DSS, and give you a certification so you can prove that compliance to your customers and acquiring bank. ASVs are only one of a few authorized groups to give you certificates of compliance, so it will almost always be necessary you work with one.

How are ASVs qualified to test my system?

ASVs undergo a rigorous annual testing and retesting policy in order to maintain their ASV status. The PCI SSC is very strict on who is allowed to become an ASV, and they also charge large annual fees to maintain ASV status. These two components ensure that Approved Scanning Vendors are very serious and well established companies that are capable of keeping up with changing security measures, and able to deliver accurate information to you about your security needs. You can be sure that you are covered if you have received passing scan reports or PCI certificates from an ASV, along with the completion of your other PCI compliance requirements.

While ASVs can sometimes offer a wide array of security services, they mainly help companies get PCI certificates through vulnerability scanning. The basics of PCI compliance require an external vulnerability scan in order to check for possible weaknesses in your system that could be exploited by attackers. Only ASVs have the necessary certification from the PCI SSC to give you the attestation of compliance you need for your acquiring bank.

PCI certificates, as they are sometimes called, generally come in the form of scan reports. The PCI certificate you may be asked to provide, will be your attestation and executive scan reports here at Server Scan. Most ASVs don’t provide PCI certificates, but their equivalent are copies of your passing scan reports.

How Often do I need ASV scanning?

PCI scanning is normally required to be done quarterly. You should prepare for your quarterly ASV scan by scanning a few weeks prior to your due date, so you have time for remediation and rescanning. Server Scan makes this process simple by offering unlimited scans with every purchase. No matter what length of time you sign up for, you will not only have the ability to run unlimited scans for no extra charge, you will be able to schedules scans as often as you like, to help remind you when due dates are near, and to make sure you never miss a deadline with your bank.

Orders in Payment Received - These orders need to have an initial scan (starting immediately) and quarterly recurring scans (starting 3-5 days in the future) scheduled, then move to Completed. See instruction document.

Orders in Pending - These orders need to have the customer contacted by email to inform them that payment failed and their scans will be disabled in seven days if we do not receive payment. Once that happens, do the following -

Set the recurring payment in the SS order manager to 'Suspended'.

Login to the Scan Manager and disable their scans by going to the Scan Portal > Admin > Network Assets, and deleting the zone.

Login as the User and turn off any scheduled scans by going to the Checklist>Manage>Login as User>Scan Schedules and deleting any scans.

Move order to Non Renewed (Canceled). Do not move past successful orders to Canceled, just the current order in question.