I think, most of financial and trade companies know about vulnerability scanning mainly because of PCI DSS. Vulnerability Assessment is, of course, an important issue, but when regular scanning is prescribed in some critical standard it become much more important for businesses.
This post will be about PCI ASV from the point of view of a scanning vendor. I decided to figure out what technical requirements exist for ASV solutions and how difficult/expensive it is to become an ASV.
Perimeter scanningBasically, PCI ASV scan is a form of automated network perimeter control, performed by an external organization. All Internet-facing hosts of merchants and service providers should be checked 4 times a year (quarterly) with Vulnerability Scanner by PCI ASV (PCI DSS Requirement 11.2.2.). It is necessary to check the effectiveness of patch management and other security measures that improve protection against Internet attacks.
It is important that the ASV scanning is not a product, it’s a service of a PCI ASV security solution provider. Providers may use their own scanners or the software of third parties, including, for example,OpenVAS and other free security assessment tools. The main thing is that provider should show good results in practical scanning tests, during the PCI ASV evaluation process.
Some providers may give their customer web-interface access to the scanner to launch the scans. Some providers may hold quarterly scanning without any participation customer’s employee. Usually communication between ASV provider and the customer is minimized: customer lists the scan targets and makes sure that the scanner won’t be blocked by firewall. ASV provider sends scan report to the customer, customer then forwards it to the acquirer.
The ASV prepares scan reports according to the ASV Scan Report requirements and submits reports to the scan customer. The scan customer submits reports to their acquirers or payment brands as directed by the payment brands.
Stages of the ASV scanning process:
Scoping Scanning Reporting/remediation Dispute Resolution Rescan (as needed) Final reportingSome details of the process you can find in “ Approved Scanning Vendors (ASVs) Program Guide ” (38 pages, May 2013)
Customer sets IP ranges and domains for scanning. ASV should “identify active IP addresses and services”, and then confirm the list of targets. ASV is “providing a determination as to whether the scan customer’s components have met the scanning requirement”.As I understand, if ASV have detected host that he doesn’t know how to scan, he must inform the customer. ASV must store the scan reports for 2 years. Customer must make sure that load balancers and firewalls won’t intercept ASV scanning. Becoming PCI ASVOk, let’s say we want to become a new ASV. There is a special page on the PCI website .
Interesting things you can find there:
Each year status should be re-approved. You should pass “remote test conducted on the PCI Security Standards Council’s test infrastructure”. You need to scan it, in other words. There will be vulnerabilities and misconfigurations in the PCI test infrastructure, which you will need to detect. There will be network hosts and Web applications in the PCI test infrastructure.Technically it looks like we need some combination of unauthenticated network and WAS-scanner.
In addition to the scan ability PCI will also check the application form and the report forms (executive and detailed test reports). They will also emulate the processes of making application and scan result discussion by phone.
If you fail the test, you can try again. But you will have to pay a re-testing fee. After three unsuccessful attempts you may be sent on “waiting period”.
Ok, so far it sounds logical. But what particular systems provider will have have to scan during the ASV test? Required Components for PCI DSS Vulnerability Scanning are listed in “ Approved Scanning Vendors (ASVs) Program Guide ” at page 17:
Firewalls and Routers Operating Systems Database Servers Web Servers Application Server Common Web Scripts Built-in Accounts DNS Servers Mail Servers Web Applications Other Applications Common Services Wireless Access Points Backdoors SSL/TLS Remote Access Point-of-sale (POS) SoftwareEasier to say everything. What systems will be actually deployed in the PCI test infrastructure is not clear. Program Guide is not about technical details actually, it is more about basic description of the ASV assessment process, which I have already mentioned earlier.
Ok, let’s say we believe that there won’t be any problems with scanning test, what else do we needed?
Some organizational requirements from “ Requirements for Approved Scanning Vendors (ASVs) v2.1 “.
The company should be registered and have some experience in providing security scans. “E-mail submissions will not be accepted”. You need to send application by regular mail. Some requirements against conflict of interests. Company shouldn’t provide PCI certification and audit at the same time. Procedure: consider an application, invoice, after payment coordination of testing date. Company should have at least two employees performing or managing PCI Scanning Services[They] must be qualified by PCI SSC. ASV Employees are responsible for performance of the PCI Scanning Services in accordance with the ASV Program Guide attending annual training provided by PCI SSC, and legitimately pass ― of his or her own accord without any unauthorized assistance ― the examination conducted as part of training. If an ASV Employee fails to pass any exam in connection with such training, the ASV Employee must no longer perform or manage PCI Scanning Services until successfully passing all required exams on a future attempt. Requirements for the employee experience. Years of work or/and certifications. In fact, all the procedures need to be repeated every year:
All ASV Companies and Employees must be re-qualified by PCI SSC on an annual basis, based on the ASV Company’s original qualification date. Re-qualification by PCI SSC is based on payment of annual fees, proof of training attended, achieving a passing result on the annual ASV Lab Scan Test and satisfactory feedback from the ASV Company Scan Customers (the merchants or service providers that received PCI Scanning Services) to PCI SSC
Company should pay fees:The Initial Test for New Solution fee, which must be paid in full within 30 days of notification. An annual ASV re-qualification test fee for subsequent years. For each ASV Employee, a fee for PCI SSC training. This is an annual fee.
Fees in US$:
Source: