How long does a scan take?
The duration depends on the number of components, their configuration, network bandwidth, and open ports. Typically, a scan takes between 2-6 hours per component. In exceptional cases, however, it may take up to 24 hours.
What information do I receive after an ASV scan is performed?
You will be notified by email once the scan is complete. The results are available as a PDF report on the PCI platform. Additionally, vulnerabilities can be exported as Excel or JIRA files.
Please note: Reviewing the results, providing feedback, and final confirmation are all handled directly via the PCI platform. It is strongly recommended that you grant your technical administrator access to the platform so they can review and further process the results.
Where can I find the scan results?
- Log in to the PCI platform with your username (email address) and password.
- In the "ASV Scan Reports" section, navigate to "Scan Projects".
- In the overview, you will see your completed scans. For your current scan, select the "Details" view and click "Review Scan Results" at the bottom.
- Complete the required information on the following pages.
Important: Your comments must be provided in English.
Some components could not be scanned. What should I do now?
Please provide an explanation in English as to why the system was not accessible. If you have any questions, please contact pci@usd.de.
What should I do with the "Additional Information"?
Provide the required responses for the respective components. Fields such as "Result", "Consequence", "Diagnosis", and "Solution" offer helpful guidance for processing.
How should I best deal with vulnerabilities identified in the results, and what should I keep in mind?
Review every vulnerability: Is this an actual security issue or a false positive?
- Actual vulnerabilities: Should preferably be remediated.
- False positives: Clearly mark and justify these as "False Positive". Important Note: Ideally, deal with false positives only after all relevant vulnerabilities have been remediated. Otherwise, your entries for false positives may be lost in a rescan—unless they have been officially confirmed by the ASV during a review at least once.
I am asked to confirm the information for the completed ASV scan. What should I do?
Log in to the PCI platform, go to "ASV Scans" -> "Scan Projects" and select "Details". Click the "Confirm Scan" button to answer the displayed questions.
Please note: Only then will you receive the final, confirmed scan report.
The ASV scan report has a watermark. What does it mean?
The watermark indicates that the scan is not yet finalized—either because the result is still "FAIL" or you have not yet confirmed the scan with "PASS".
Please note that an ASV scan report with a watermark will not be accepted by acquirers or other third parties.
Are there additional costs for a rescan (repeat scan)?
No, there are no additional costs for required rescans following a "FAIL".
Do vulnerabilities need to be resolved before the rescan?
Yes, this is recommended. This is the only way to improve the scan outcome in the rescan. Plan a rescan only after all vulnerabilities have been successfully remediated.
How do I schedule a rescan?
Once the scan result has reached the "Scan Review by Customer" status, you can schedule a rescan under "Details". Alternatively, you can also click "Plan New Scan" in the scan projects. The platform will then ask if you want to perform a rescan or plan an entirely new scan.
I want to conduct a rescan with a changed scope: How can I do that?
Rescans only cover the same scope as the original scan. For a changed scope, please contact pci@usd.de.
Can we remove a component from a completed scan after scanning?
No, unfortunately this is not possible. In this case, you must either plan a new scan without the relevant component or continue with the existing scan including all previously defined components.
When should I pause a scan?
From our perspective, a scan should only be paused in exceptional cases. Below are typical situations and our recommendations: 1. The scan is taking longer than expected and you have an important business event coming up.
Recommendation: Allow for the possibility that a scan may take longer, and start it earlier or after the event. The scan should generally have no impact on your production system, but no guarantee can be given. 2. The scan generates unexpectedly high traffic and affects operations.
Recommendation: Abort the scan and contact us (pci@usd.de). The scan profile can be adjusted if necessary. In such cases, we will gladly provide a new scan free of charge. 3. The scan is taking a long time, but you do not observe any traffic on your systems and want to check if it is still active.
Recommendation: Please contact us. If there really is a technical problem, pausing the scan usually won't help. 4. The wrong component was accidentally selected for the scan.
Recommendation: Abort the scan and contact us (pci@usd.de). We are generally flexible in such cases and will be happy to provide you with a new, correct scan free of charge.