What prerequisites should be met for a successful ASV scan?

The following points should be considered to ensure a smooth ASV scan process:

1. Involve your technical service providers early: A successful ASV scan is hardly feasible without the support of IT staff responsible for the systems.
2. Check existing certifications and scans: Clarify with your IT service providers whether they are already PCI DSS certified or if they are possibly already conducting ASV scans for your company.
3. Register the technical administrator as a contact person: Add the responsible technical administrator as an additional contact on the PCI platform so they can accompany the entire scan process.
4. Technical preparation: The IT systems to be scanned must be temporarily whitelisted on the firewall (e.g., IPS/IDS) for the duration of the scan. Please check in advance whether and how this is possible and necessary.
5. Special notes for e-commerce merchants: Since PCI DSS 4.x, an ASV scan to check the web server and webshop is mandatory for online shops. If you outsource the technical management of your website to a platform provider or agency, check whether this partner already conducts ASV scans for your company—in this case, an additional scan may not be required.
6. Validation of scan components: If you are unsure whether you have selected the correct IT systems, feel free to contact us at pci@usd.de to validate the scan components together.

How do I schedule an ASV scan?

To schedule an ASV scan, you need your defined scan components as well as at least one active scanning quota with enough available scan components. Proceed as follows:

1. Add scan components:
   Click “ASV Scans” in the left menu and then “Scan Components” to enter the relevant IP addresses or domains.
2. Start scan project:
   After entering the scan components, click “Next” or go to “Scan Projects” in the menu.
   At the top, select “Schedule New Scan.”
   If you have not yet purchased a scan quota, you can do so now in the webshop.
3. Provide scan information:
   If a quota is available, enter all necessary information about load balancers and any point-of-sale software in use. Complete all comment fields and required details to finalize planning.
4. Select start time:
   Choose the desired start date and time for the scan. Please note: Date and time are specified in UTC (Coordinated Universal Time)—be sure to take any time difference into account.
5. Ensure technical approval:
   Make sure the responsible hoster or administrator has enabled the required IP range for the duration of the scan.
6. Monitor status:
   After planning, you can view the current status of your scan in the “Scan Projects” area.
   Tip: With the “Change Plan” function, you can independently adjust your scan up until the scheduled start time.

Will my systems be “attacked” during an ASV scan?

No, an ASV scan only performs non-intrusive, i.e., non-invasive and authorized external vulnerability scans. Checks are automated to determine whether vulnerabilities or misconfigurations are externally visible via the Internet. The identified potential vulnerabilities are not exploited to attack your systems or compromise their integrity or availability. No actual attack on the system is performed, such as checking the impact of a vulnerability. Such measures are part of a penetration test, which is not included in an ASV scan.
If you are interested in a penetration test, please contact us at vertrieb@usd.de.

Is an ASV scan useful if the website content is only accessible after login?

Yes, an ASV scan is useful in this case as well. The goal of the ASV scan is not to review your website’s business content, but to assess the technical security of the site and the underlying web server. The scanner checks whether known vulnerabilities or security-relevant characteristics are technically identifiable—regardless of whether the actual site content is only visible after login.

Do the costs of an ASV scan depend on the number of scan components (IP addresses/domains)?

Yes, the costs are based on the number of components included in the scan. You can find an overview in our current price list.

Which IP ranges need to be allowed before the scan process?

Our ASV scans are conducted exclusively from the following IP ranges:

• 64.39.96.1 – 64.39.111.254 (CIDR 64.39.96.0/20)
• 139.87.112.1 – 139.87.113.254 (CIDR 139.87.112.0/23) NEW

Please make sure that any existing security mechanisms such as Intrusion Detection/Prevention Systems (IDS/IPS) are configured so that our scan systems have unrestricted access to the target components. During the security scan, it’s necessary for the above IP ranges to have unrestricted access to your target systems. Since an external vulnerability scan may resemble a targeted attack in nature and scope, protection mechanisms such as IDS/IPS must be appropriately adjusted during the scan to avoid interruptions. All accesses by usd AG in connection with these security scans originate exclusively from the above IP addresses.

Can I determine the ASV scan schedule myself?

Yes, the planning of the ASV scan is entirely your responsibility. usd AG cannot schedule scans for you. You are required to select and schedule an appropriate time for the scan yourself.

What is the best way to scan a cloud-based solution?

Make sure a fixed IP address or FQDN is reachable during the scan. The physical location is not critical as long as the component remains externally accessible.

How do you scan if a load balancer is used? What must be considered?

To ensure the entire environment is covered by the scan, the load balancer must be synchronized with the connected systems and must forward all requests one-to-one to the backend systems during the scan.

Can FQDNs (Fully Qualified Domain Names) whose IP address changes dynamically be scanned?

Yes, this is possible as long as the IP address does not change during the scan period.

Can systems that are fronted by CloudFront be scanned?

Basically, yes—as long as there is no firewall or other protection mechanism blocking the scan requests.

I am repeatedly redirected to the webshop during scan planning. What am I doing wrong?

Please check whether you still have a suitable, not yet scheduled ASV scan available for the number of scan components you have entered. Feel free to contact us if your current order does not suffice.

Where can I check whether I still have an unscheduled ASV scan available?

You can see the number of remaining, unscheduled ASV scans in the “Scan Projects” area (left menu under “ASV Scans”). The banner will indicate the available scans. By clicking “Details” you can view not only the exact number but also the validity period of your remaining scans.

Does the ASV scan always have to be performed on a production system, or is a test system sufficient?

The scan should always be performed on the live environment. Particularly for externally accessible systems, the focus is on the security of the systems actually in productive use.