# How long does the actual scanning process take?

The duration of a PCI DSS ASV scan depends on the number and type of services accessible on the target system. As a guideline, the ASV scan takes about 2 hour per scan component (IP address or domain).

# What does an ASV scan process look like?

The most important steps in brief:

  1. Client: scoping (definition of the scan area by specifying the scan components).
  2. Client: planning/scheduling of the scan (if necessary, order service beforehand if you do not have a scan available)
  3. Client/usd AG: performance of the scan
  4. usd AG: Review of results and reporting to client
  5. Client: additional information and/or correction of found vulnerabilities
  6. Client: planning of a rescan (as required)
  7. usd AG: Review of the results and final reporting
  8. Client: final confirmation of the details and results and thus achievement of PCI DSS compliance for the ASV scan.

Please note that this is an exemplary course of an ASV Scan process. There may be other variants that apply individually to your scan.

# My scan has been performed. When will I receive my result from the review?

After your scan has been completed, the results are sent to our ASV team for review. This review is not automatic, but a manual and individual process. We can usually provide you with the review result within 24 hours on business days.

# What information do I receive after a completed ASV Scan?

After a PCI DSS ASV Scan is completed, you will be notified of the completion of the scan via email to the address you have provided. After that the reports will be generated in PDF format (ASV Scan Report Summary und ASV Scan Vulnerability Details as a technical report), which you can view and download from the Platform. Depending on the result of your scan, further steps are required for the scanning process and to achieve PCI DSS compliance. We will also notify you of the required steps via email.

# I am asked to provide supplemental information. How do I proceed?

  1. Log in to the PCI DSS Platform with your user name (email address) and password.

  2. click on "Scans and Reports" in the "Security Scans and Services" section.

  3. You will now be shown your scans in the overview. In the footer of your most recent scan, select the action "Review scan result". Under "Scan Details" you will find the scan history summary.

  4. On the following pages, complete the information requested. Important: Your comments must be written in English.

These statements are possible:

  • Indicate why some of your scan components were not accessible.
  • Add the missing information under "Supplementary information" per line or answer the questions listed there. The items "Result", "Consequence", "Diagnosis" and "Solution" provide you with further information and possible solutions.
  • If vulnerabilities have been found and you want to report them as false positives, you can add your comments using the chat function in the "Vulnerabilities" view. Note: If the vulnerabilities are not false positives, fix the vulnerabilities and perform a rescan.
  1. Save and submit your information to us by clicking "Submit to ASV Review."

# I am prompted to confirm the details of the ASV scan performed. How do I proceed?

In order to provide you with the official ASV Scan Report with the status "compliant", a final (formal) confirmation of your information on the scope of the scan is necessary.

This is how you proceed now:

  1. Log in to the PCI DSS Platform with your user name (email address) and password.
  2. Click on "Scans and Reports" in the "Security Scans and Services" section.
  3. Select the "Confirm scan" button and answer the questions listed there.

Please note: After confirming your information you will receive the final status of your PCI DSS ASV scan including the download option of your documents. You will find both in the "Security Scans and Services" section under "Scans and Reports".

# What happens if an ASV scan is not successful?

In this case we will inform you by email about the unsuccessful scan. In the generated PDF reports we will give you recommendations on how to adjust the configuration of your systems in order to achieve a successful scan result. After you have implemented the appropriate measures, a rescan (repeat scan) can be scheduled, which re-examines all scan components specified for the scan. The rescan will verify whether a successful result can now be achieved.

# Is there an additional cost for a rescan (repeated scan) after I have closed the vulnerabilities in my system?

If the scan result is "fail", you have the option of unlimited free rescans of your scan components within four weeks. If you have not closed the vulnerabilities found and perform the rescan, the result would again be rated as "fail". Therefore, a rescan can only be scheduled if the found vulnerabilities have been closed.

# How do I schedule a rescan?

To schedule a rescan, use the "Rescan" button located within your scan overview in the "Scans & Reports" menu item.

The rescan can only be scheduled if you can confirm the following statements:

  1. The vulnerabilities found on your systems in the current scan have been fixed.
  2. The review of the current scan can be aborted and automatically rated as "non-compliant".

# I want to run a rescan with a changed scope: How to do it?

Rescans can only be scheduled by you for the scope of the original scan. For a rescan with modified scope, please contact the PCI Comptence Center (pci@usd.de).

# We are unable to complete our scan due to internal processes that are still pending clarification. What can we do to complete the scan with a compliant rating in time?

In order for the scan to be rated compliant, all outstanding issues must be addressed. For potential vulnerabilities, either a false positive must be substantiated or the vulnerability must be fixed and rescanned. For special notes, the issue must also be substantiated or mitigated.

# There are still connections coming in on port 80, although the scan components are specifically set to port 443. However, the connections coming in on port 80 are automatically forwarded to port 443.

Since this is a full port scan, every single port is scanned. The port 80/443 settings apply exclusively to the virtual hosts.

support card image

Do you have further questions?

Our PCI Competence Center is available to provide assistance. Please use our Contact Form to send us your inquiry directly. Alternatively, you can send us your inquiry via Email to pci@usd.de or leave a voicemail via telephone at +49 (0) 6102 8631-90.