PCI Scanning and Approved Scanning Vendors

As a merchant, you often times have to deal with Payment Card Industry standards and regulations to maintain your compliance in order to keep your customers and the payment card brands happy.  One of the few things that you need to do to be compliant is to make arrangements with an Approved Scanning Vendor to scan your website for vulnerabilities.  This may appear to be a hassle, but it is a relatively simple process.

 

Approved Scanning Vendors, or ASVs, are companies that are approved by the PCI council to conduct external vulnerability scanning services.  They use an automated scanning tool that will check systems for security flaws that could potentially allow for a malicious entity to harm your website or steal information (such as credit card numbers).  The PCI council currently has 149 ASVs for you to choose from.

 

Once you have chosen your ASV, you will need to begin the first of your quarterly scans.  You will give the ASV your website’s domain name and schedule a time for them to conduct the scan.  Once the scan is completed, you will be given a report that lists any vulnerabilities that your website may be susceptible to.  It is common for these reports to categorize the threat level based on a numerical scale of 1 to 5, with a category 5 threat being the most severe.  Lower numbers are typically only informational and do not require remediation.

 

So what do you do if you have vulnerabilities that take you out of PCI compliance?  Fix them!  Many times all that is required is a software update or a minor configuration change on the server hosting the website.  If you are hosting your website with a third party, you can give them the ASV report and work with them to get your vulnerabilities resolved.  When you believe that all major vulnerabilities have been addressed, you can schedule your ASV to rescan your website.

Leave a Reply

Log in