Using an ASV for External Vulnerability Scans

Performing External Vulnerability Scans on a Quarterly Interval 
PCI Requirement 11.2.2 requires quarterly external vulnerability scans to be performed by an Approved Scanning Vendor (ASV). ASVs have a high standard and are approved by the PCI Security Standards Council. Once the scan is completed, vulnerabilities need to be ranked according to your established risk ranking system. Any vulnerabilities ranked as “high risk” need to be remediated before your next quarterly scan. 

AWS customers can carry out security assessments against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace or check out OWASP’s list of vulnerability scanning tools

Requirement 11.2.2 in the PCI DSS tells us how to do external vulnerability scans. A couple of things that I want to clear up that confuse people, sometimes, is you want to ensure that these external scans are, number one, what’s considered an ASV scan. A lot of times we’ll have clients that will show us scan results, but it wasn’t an ASV scan. There is a particular process that an external vulnerability scanning vendor goes through in order to be qualified to run your external vulnerability scans for PCI compliance and you want to be ensured that it is an ASV that is performing your scans. Qualys, for example, is a provider that will provide you with one type of vulnerability scan, but you have to ensure that you are getting the ASV scan for PCI compliance in order to comply with 11.2.2. 

The other question that we get a lot is about coverage. “What should we be scanning? Should we be scanning all of our public IP address landscape?” The answer is yes if they are related to your cardholder data environment. Any IP address that is externally accessible or potentially accessible has to be scanned as part of your PCI compliance efforts. These scans are inexpensive enough and easy enough to run that it is a good idea to scan your entire space. You also want to ensure that you’re scanning those web-facing applications that are part of your PCI cardholder data environment. 

The last thing we get asked about is the frequency of the scans. The requirement is quarterly. You will find a frequently asked question in the PCI Security Standards Council’s webpage about what constitutes quarterly. They clearly state, in there, that it should be no more than 90 days. If there are extreme circumstances that prohibit you from running vulnerability scans, it shouldn’t be any more than a day or two. Please be sure that you’re running these external vulnerability scans at least every 90 days and within that 90-day window to ensure that you will be compliant with the PCI Data Security Standard. 

Related Videos