PCI DSS ASV Scanning


The PCI DSS has set of security requirements that needs to be followed by the merchants and service providers that store, process or transmit cardholder’s data. To comply with PCI Data security standards, merchants and service providers are required to have periodic PCI Security Scans by Approved Scanning Vendor (ASV). Approved Scanning Vendor (ASV) is an organization with a set of security services and tools to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2.

  • Service Objective
    The objective of PCS DSS ASV Scan Service is:

    Help validate compliance with the security requirements of PCI Data Security Standard (DSS).
    Scans help identify vulnerabilities and misconfigurations of web sites, applications, and information technology (IT) infrastructures with Internet-facing internet protocol (IP) addresses.
    Scan results provide valuable information that support efcient patch management and other security measures that improve protection against Internet attacks.

  • Scope of Service
    PCI DSS ASV Scan Service needs to be performed on all Internet-facing IP addresses and/or domains of merchant of service provider. In some cases, Companies may have many IP addresses available while only using a small number for card acceptance or processing. In these cases, we help merchants and service providers dene the appropriate scope of the scan required to comply with the PCI DSS requirements.
    Our ASV Solution tests all IT assets and recommends valuable mitigation steps to comply with PCI DSS requirements. Our ASV solution follows below measures:
    • Non-disruptive Nature – It provides only tests that do not damage the customers’ systems or data.
    • Platform Independence.
  • Process of PCI DSS ASV Scan
    All scans are performed by Cloud4C team using legitimate ASV solutions.
Step 1: Scope Validation

Customers provide us a list of all Internet-facing IP addresses and/or IP address ranges to be scanned. Cloud4C team will validate the scope of the target list and conducts ne twork probing to determine which hosts and services are active. Cloud4C team will perform following activities:

  • Ping sweeps, port scans, and route tracing
  • Foot printing of networks and systems
  • Searches for internet domain name registration
  • Domain name service (DNS) lookups
Step 2: Performing ASV Scan
  • Ping sweeps, port scans, and route tracing
Step 3: Vulnerabilities & Gap Analysis
  • gap analysis, Cloud4C team will learn about the environment and determines vulnerabilities that are present. Some vulnerabilities will be apparent by just using the information learned from the rst two steps. However, many vulnerabilities can only be investigated with probe-and-response testing. In this type of test, Cloud4C team will send data to a service or application and look for a certain response that indicates the presence of a vulnerability.
Step 4: Reporting
  • After analysis of vulnerabilities and identication of gaps, Cloud4C team will provide a detailed report of security issues found in the network which lead to non-compliance of PCI DSS requirements. Recommendations are also provided to follow PCI DSS requirements.
  • To ensure successful and smooth execution of PCS DSS ASV Scan Service, certain information and preparation need to be in place
  • Intrusion detection system/intrusion prevention system (IDS/IPS): IPS/IPS (if any) should be congured to whitelist the network trafc sourced from the IP addresses of Cloud4C during the scanning period.
  • The IP address of the scanner should be whitelisted in the customer network side.
  • Deliverables

    Upon completion of the PCI DSS ASV Scan Service, a detailed report will be sent to client, including the following:

    • Executive Summary :
      Summary of overall compliance status and compliance details of each vulnerability whether true of false are provided.
    • Findings
      A detailed, technical explanation of the ndings of the scan along with recommendation will be given.
    • Conclusion & Recommendations:
      This section provides nal recommendations and summary of the issues found during the security assessment.
  • Service delivery time
    The PCI DSS ASV Scan on about 10 External IT Assets can be completed in two business days.