# Which systems or scan components need to be examined during a PCI DSS ASV Scan?

In the course of a PCI DSS ASV scan, all systems of the merchant or its respective service provider that process credit card data and are accessible over the internet must be examined for vulnerabilities. This applies in particular to web servers, mail servers, routers, firewalls, application servers, database servers and load balancers. IP addresses and domains are considered scan components. Domains can also be defined as virtual hosts.

If you are unsure which of your systems are affected, we will be happy to advise you (opens new window).

# What are the technical requirements to enable an ASV scan by usd AG?

The following technical requirements are necessary to use the PCI DSS Platform:

  1. Make sure to use an up-to-date browser (e.g. Google Chrome, Mozilla Firefox, Microsoft Edge).
  2. Use the latest version of Acrobat Reader.
  3. Please enable JavaScript.
  4. We also recommend that you enable cookies.
  5. To perform the scan itself, you need to make additional settings in the IPS/IDS, which you will be shown during scan scheduling.

# How do I schedule an ASV Scan?

To be able to schedule an ASV Scan, you need your defined scan components and at least one ordered scan on the other hand. Then proceed as follows:

  1. Click on "Scans and Reports" in the "Security Scans and Services" section.
  2. Use the "Plan new scan" button (top right).
  3. Now select "Plan Scan" from the list of available scans.
  4. You will see the input mask for your scan planning. Please be sure to note the required settings for any IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) that may be present, so that our scan systems can reach the components you want to scan.
    a) Check the list of scan components and make any necessary adjustments.
    b) Read and confirm the displayed explanations.
    c) Under "Special Notes", please specify the use of load balancers as well as POS software.
    d) Under "Scan Profile", in addition to the standard scan, you can select whether the scan should be performed at an adjusted speed.
    e) Now enter your desired date (date and start time) under "Scan Date". The platform uses the coordinated universal time (UTC) for planning and performance.
    f) Complete your entries with "Plan Scan".
  5. Your ASV scan is now scheduled and also appears under "Scans and Reports".

By the way: By means of "Change schedule" you can adjust your schedule yourself before the start time.

# For which IP address range do I have to obtain access before the scanning process?

All scans are performed by our scanning systems with the following IP address ranges:
64.39.96.1 - 64.39.111.254 (CIDR 64.39.96.0/20)

Please configure any existing IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) in such a way that our scanning systems have unlimited access to the components to be scanned.

During a security scan, it is necessary that the systems making the scan obtain unlimited access to the target systems. Since such a security scan is similar to the preparation of a targeted attack on your system, it is essential that any mechanisms used to protect against such attacks, such as intrusion detection or prevention systems (IDS/IPS), be configured in such a way that the work of the security scanner is not hindered. All accesses that usd AG attempts within the scope of such security scans on your systems take place from IP address ranges 64.39.96.1 – 64.39.111.254.

# What does an ASV scan process look like?

The most important steps in brief:

  1. Client: scoping (definition of the scan area by specifying the scan components).
  2. Client: planning/scheduling of the scan (if necessary, order service beforehand if you do not have a scan available)
  3. Client/usd AG: performance of the scan
  4. usd AG: Review of results and reporting to client
  5. Client: additional information and/or correction of found vulnerabilities
  6. Client: planning of a rescan (as required)
  7. usd AG: Review of the results and final reporting
  8. Client: final confirmation of the details and results and thus achievement of PCI DSS compliance for the ASV scan.

Please note that this is an exemplary course of an ASV Scan process. There may be other variants that apply individually to your scan.

# Is it possible to test the ASV Scan run beforehand?

No, this is not possible.

# Can I choose the time of the ASV scan myself?

Yes, you are basically free to choose the timing and set the date yourself via the PCI DSS Platform. We recommend that you schedule your ASV scan early in advance so that we can plan the appropriate resources for your desired date.

# Do the costs for an ASV scan depend on the number of my scan components (IP addresses/domains)?

In general, yes. Detailed information about our services and prices is available on our website or directly from the usd PCI Competence Center.

# What is the best way to scan a cloud-based solution?

The scanner needs an IP address or an FQDN. As long as all systems are reached, it is irrelevant where they are actually located.

# How do you scan if a load balancer is used?

To ensure that the environment is fully scanned, the load balancer must be synchronized with the system behind it and forward all requests without any changes.

# Can FQDNS (Fully-Qualified Domain Name) with dynamically assigned IP addresses be scanned?

No. Before the scan begins, a scan component is defined that must resolve to the same IP address for the duration of the scan.

# Can behind CloudFront be scanned?

In principle, any IP address can be scanned. However, it is important to ensure that no firewalls or similar mechanisms could block the scan.

support card image

Do you have further questions?

Our PCI Competence Center is available to provide assistance. Please use our Contact Form to send us your inquiry directly. Alternatively, you can send us your inquiry via Email to pci@usd.de or leave a voicemail via telephone at +49 (0) 6102 8631-90.