Approved Scanning Vendor – PCI

Viewing 9 reply threads
  • Author
    Posts
    • #8140
      24772433
      Participant

      Is it possible for an individual to perform a PCI scan or does that person have to be a member of an approved company (ASV)? Can somebody qualified to conduct PCI scans do this on a freelance basis?

      Thanks in advance!

    • #51497
      Triban
      Participant

      Check their site out for answers: https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php

      Based on the language there, I’d say you would need to be an employee of a vetted QSA firm.

    • #51498
      ziggy_567
      Participant

      External scan reports must be generated through an ASV company. An important distinction is that the person running the scan does not have to be an employee of the ASV company. You can manage your own scans through the ASV’s portal. The report will contain a page that has the ASV number associated with the company that performed the scan. If you’re ever audited or have to submit your report to your acquiring bank, the auditor/bank will be looking for that number on the report. Basically, you cannot scan your own perimeter with your own copy of Nessus, generate a report, and say you’re compliant. It must be done by an ASV company.

      Internal scan reports can be done by anyone knowledgeable in Vulnerability Scanning/Management. It should not be managed by a person responsible for maintaining the systems being scanned, though (separation of duties).

      Hope that helps.

    • #51499
      24772433
      Participant

      Thanks for the replies, guys. All very helpful.

    • #51500
      ziggy_567
      Participant

      Also, after re-reading your original post, I see there might be some confusion on what an ASV is.

      A company is certified as being an ASV. The “V” stands for vendor. There are not individual (person) ASVs. You can verify this by browsing the published list:

      https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php#

      Any person can use the ASV products of any of these companies to produce scan reports that will be accepted for a PCI QSA audit. It doesn’t matter if you are an employee of an ASV, the company being scanned, or some other third-party.

    • #51501
      tturner
      Participant

      Internal scans can be done by any “qualified” internal security person. PCI does not define what qualified means but I suspect the day will come when they start requiring internal folks to become ISA or PCIP. Your QSA determines whether this is being properly managed, not the council. Yes, much room for interpretation. Welcome to PCI.

      External (internet facing) scans must be done by the ASV. The ASV MUST do the scanning but you will have access to the reports. The ASV will also handle documentation for exceptions. The ASV is responsible for the validity of that scan, and their license depends on its accuracy. The customer cannot manage that process but they can certainly work with their ASV for remediation consulting and providing documentation to support requested exceptions. What confuses people is you might have access to manage a hosted scanner in your ASV environment. It’s not the same as the ASV console.

      ASV certification IS awarded to qualified individuals but only if they work for an ASV company. See https://www.pcisecuritystandards.org/training/asv_training.php for more info

    • #169235
      Michael J. Conway
      Participant

      I am not a PCI guy but have used an ASV for doing audits of customers in the past. Basically the requirement was that the scan vendor be on the approved list. Its really messed up in that PCI only looks at a small chunk of the security posture of an organization. It is possible that while the payment card piece is “secure” the rest of the infrastructure is relatively wide open and provides a way in for the attacker. Take the Target breach from a few years back. The attacker compromised the supply chain. Anyway, there is more to security than just being compliant with a given standard.

    • #179458
      tomtommapupdates
      Participant

      Thank you for your valuable and useful information through the blog. I am appreciating with the way you shared the relevant, precious, and perfect information. Furthermore, I would like to also keep some sound knowledge of TomTom Map Update that provides the software and map update to their users but due to lack of right information, users didn’t find the accurate steps and due to update, Tomtom GPS Update users got plenty of issues such as network issue, wireless and Bluetooth connectivity issue, hanging problem, the screen is showing unexpected error and much more.

    • #179871
      randmcnally
      Participant

      Magellan is one of the largest electronic groups that concentrate on reading patron necessities in regions of topographic maps and worldwide positioning device receivers. In 2020, Magellan GPS Update devices can make your travelling fun and easy.The lighter tool, easy revel in, and correct navigation, this tool were given everything that a user precisely looks for. You must sense unfastened to travel everywhere without traumatic approximately routes. Trust inside the particular navigation consequences, be secure and comfy with the latest technology. Also, you may make your journeying extra clean through downloading the Magellan Map Update quite simply to your device.

    • #181077
      superchoise
      Participant

      You definitely need to be an employee. I wonder just why you need it. If you just want to make money, then advise you to just play at https://mr.bet/at/game/view/demo/big-game

      • This reply was modified 1 month, 3 weeks ago by superchoise.
Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?