What is a PCI SSC Approved Scanning Vendor?

What does it mean to be a PCI SSC Approved Scanning Vendor?  The role of an Approved Scanning Vendor is explained to some extent from that description alone.  ASV’s are businesses authorized and approved by the PCI SSC to scan merchants for compliance.

With that said, there is definitely some confusion out there regarding PCI ASV’s and what they provide.  Many merchants who have been asked to provide evidence of PCI compliance wonder whether they really need to use a PCI Approved Scanning Vendor, or whether they can simply get general vulnerability scanning from any number of security scanning vendors or consultants available on the Internet.   Some scanning vendors complicate matters by masquerading as PCI Approved Scanning Vendors, when they are simply third parties or middlemen, sending their customers to outside vendors with questionable records on customer service.

Why do I need a PCI SSC Approved Scanning Vendor?

For starters, you need to use a PCI ASV company because no other vendor is authorized to provide quarterly external PCI scans to address requirement 11.2.2 of the PCI DSS.  You might see the question referenced in the SAQ document for your particular business.  Item 11.2.2 part c reads “Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor?”  Banks and financial institutions involved with credit card processing will not accept scan results from entities that are not on the PCI Approved Scanning Vendor list.

Further, a PCI scan report from an ASV company is formatted and structured differently than a general vulnerability report.  Rather than just including a severity rating, a PCI ASV report will include the “Pass/Fail” status of component based on the vulnerabilities discovered.  This is an important distinction, because an entity with only low severity vulnerabilities may still be considered a fail for PCI compliance.  Along with that, an entity with high severity vulnerabilities in place may be passing, especially if these concerns only affect the availability of the system tested.  In most cases, only a PCI ASV scan report will be structured in a way to make this clear.

Additionally, PCI ASV companies go through rigorous annual testing to prove that their scanning solution is effective.