Which systems or scan components need to be examined during an ASV Scan?

In the course of an ASV scan, all systems of the merchant or its respective service provider that process credit card data and are accessible over the internet must be examined for vulnerabilities. This applies in particular to web servers, mail servers, routers, firewalls, application servers, database servers and load balancers. IP addresses and domains are considered scan components. Domains can also be defined as virtual hosts.

If you are unsure which of your systems are affected, we will be happy to advise you.

What are the technical requirements to enable an ASV scan by usd AG?

The following technical requirements are necessary to use the PCI Platform:

1. Make sure to use an up-to-date browser (e.g. Google Chrome, Mozilla Firefox, Microsoft Edge).
2. Use the latest version of Acrobat Reader.
3. Please enable JavaScript.
4. We also recommend that you enable cookies.
5. To perform the scan itself, you need to make additional settings in the active firewall (IPS/IDS), which you will be shown during scan scheduling.

How do I schedule an ASV Scan?

To be able to schedule an ASV Scan, you need your defined scan components and at least one ordered scan on the other hand. Then proceed as follows:

1. To add scan components, click on "ASV Scans" in the menu on the left-hand side and then the sub-item "Scan components".
2. After entering the scan components, click on "next" or go back to "Scan projects".
3. Select "Plan new scan" in the header. If you have not yet activated a scan quota, please do so now.
4. If you already have a quota, please schedule the scan now, providing the necessary information on the load balancer and any point-of-sale software used. Please make sure to enter all comment fields and details in order to complete the scan planning.
5. Next please specify the start date for the scan. Please note that the date and time are scheduled in UTC.
6. It is also urgently necessary to arrange for the activation of the IP address range with the hoster or responsible administrator before starting the scan.
7. After completing the planning, you can view the status of the scan in the "Scan projects" area.

By the way: By means of "Change schedule" you can adjust your schedule yourself before the start time.

For which IP address range do I have to obtain access before the scanning process?

All scans are performed by our scanning systems with the following IP address ranges:

64.39.96.1 - 64.39.111.254 (CIDR 64.39.96.0/20)
139.87.112.1 - 139.87.113.254 (CIDR 139.87.112.0/23) NEW

Please configure any existing IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) in such a way that our scanning systems have unlimited access to the components to be scanned.

During a security scan, it is necessary that the systems making the scan obtain unlimited access to the target systems. Since such a security scan is similar to the preparation of a targeted attack on your system, it is essential that any mechanisms used to protect against such attacks, such as intrusion detection or prevention systems (IDS/IPS), be configured in such a way that the work of the security scanner is not hindered. All accesses that usd AG attempts within the scope of such security scans on your systems take place from IP address ranges 64.39.96.1 – 64.39.111.254 and 139.87.112.1 - 139.87.113.254.

What does an ASV scan process look like?

The most important steps in brief:

1. Client: scoping (definition of the scan area by specifying the scan components).
2. Client: planning/scheduling of the scan (if necessary, order service beforehand if you do not have a scan available)
3. Client/usd AG: performance of the scan
4. usd AG: Review of results and reporting to client
5. Client: additional information and/or correction of found vulnerabilities
6. Client: planning of a rescan (as required)
7. usd AG: Review of the results and final reporting
8. Client: final confirmation of the details and results and thus achievement of PCI DSS compliance for the ASV scan.

Please note that this is an exemplary course of an ASV Scan process. There may be other variants that apply individually to your scan.

Is it possible to test the ASV Scan run beforehand?

No, this is not possible.

Can I choose the time of the ASV scan myself?

Yes, you are basically free to choose the timing and set the date yourself via the PCI Platform. We recommend that you schedule your ASV scan early in advance so that we can plan the appropriate resources for your desired date.

Do the costs for an ASV scan depend on the number of my scan components (IP addresses/domains)?

In general, yes. Detailed information about our services and prices is available on our website or directly from the usd PCI Competence Center.

What is the best way to scan a cloud-based solution?

The scanner needs an IP address or an FQDN. As long as all systems are reached, it is irrelevant where they are actually located.

How do you scan if a load balancer is used?

To ensure that the environment is fully scanned, the load balancer must be synchronized with the system behind it and forward all requests without any changes.

Can FQDNS (Fully-Qualified Domain Name) with dynamically assigned IP addresses be scanned?

Yes, you only need to ensure that the IP does not change during the scanning process.

Can behind CloudFront be scanned?

In principle, any IP address can be scanned. However, it is important to ensure that no firewalls or similar mechanisms could block the scan.