What does ASV or ASV Scan mean?

ASV stands for "Approved Scanning Vendor", which is a provider recognized by the PCI Security Standards Council for vulnerability scanning. Only these providers – such as usd AG – are allowed to perform external vulnerability scans (ASV scans) to verify and assess your PCI DSS compliance.
An ASV scan checks for external vulnerabilities in your publicly accessible IT systems such as websites, applications, or other infrastructure components. The scans are carried out over the Internet with a certified solution and comply with PCI DSS requirement 11.3.2.

How does the scanning process work?

The scanner examines which services and systems on the specified scanning component (IP address or domain) are accessible from the Internet. These details are then matched against an ever-updated database of known vulnerabilities. The results are presented to you in detail in the scan report.

When do ASV scans have to be performed?

ASV scans are mandatory external vulnerability scans under PCI DSS. They must be applied to all IT systems that are accessible via the public Internet and meet at least one of the following conditions:

1. They accept, process, transmit, or store cardholder data.
2. They are directly responsible for the security of card payments (e.g., an online shop with credit card payment).

How often do ASV scans have to be performed?

ASV scans must be performed every 90 days if regular scans are required. Different intervals may be necessary based on your bank’s or payment service provider’s specifications. Also, any significant change to the publicly accessible system environment that could affect security may require a new ASV scan. If in doubt, it is advisable to consult with your ASV; feel free to contact us at pci@usd.de.

Which systems need to be checked during an ASV scan?

ASV scans cover all publicly accessible systems in the PCI DSS context, including for example:

• Web applications, databases, mail servers, proxies, NTP or DNS servers
• Virtual servers/routers/desktops/hypervisors
• Cloud infrastructure
• Printers, fax machines
• Tools, code repositories, ...

If you are unsure, please feel free to contact us at pci@usd.de.

What are scan components?

In the context of ASV scans, the term "scan components" refers to the IT systems that are to be tested for security during the ASV scan. These components must be determined before the scan begins. They usually consist of the domains/FQDNs or IP addresses of the systems to be tested.

Please note: Specific sub-paths cannot be specified, as the entire underlying system is always examined.

What is the ASV Scan process?

The main steps at a glance:

1. Customer: Scoping (determination of the scope and nomination of scan components)
2. Customer: Scan planning (ordering a scan quota in advance if no scan is available)
3. Customer / usd AG: Execution of the scan
4. usd AG: Notification regarding the availability of scan results
5. Customer: Provide additional information and/or initiate remediation of identified vulnerabilities
6. Customer: If necessary, plan a rescan
7. usd AG: Result review and final reporting
8. Customer: Final confirmation of data and scan results – with this you achieve PCI DSS compliance for the ASV scan

Please note: this is an exemplary process. Depending on the situation, deviations and processes tailored specifically to your company may be possible.

How do ASV scans differ from other external vulnerability scans?

The main difference is that with ASV scans, simply performing the scan is not enough to assess the security of the affected IT systems. The results must be carefully reviewed and – if necessary – remediation of identified vulnerabilities implemented. This can mean that vulnerabilities need to be removed or findings commented on. This process generally requires close cooperation with the technical administrators of the respective IT systems. Therefore, it is recommended that the technical administrator accompanies the entire ASV scan process – from planning to final approval by the ASV. If you are interested in an external or internal vulnerability scan, please contact us.

We have not needed to perform ASV scans until now. What has changed?

There are various reasons why an ASV scan may now be required, for example:

• Changed processing procedures: Your payment processing has been adjusted.
• Change of SAQ type: Your new Self-Assessment Questionnaire (SAQ) requires an ASV scan or the information about public accessibility has changed.
• Adjustments to the PCI Standard: The PCI standard has been revised so that your specific processing procedure now requires additional security controls such as ASV scans.
• Bank or acquirer requirements: Previously, your acquiring bank or payment facilitator did not require an ASV scan for risk-based reasons. Reasons for this may vary. For further information, please contact your contractual partner directly.