Are All Approved Scanning Vendors Alike?

Businesses on the Payment Card Industry Security Standard Council’s (PCI SSC) approved list of scanning vendors (ASVs) undertake extensive testing. The tests cover how potential ASVs handle scan requests from their customers, perform scans, and report scans. Once approved, vendors begin to assist merchants with PCI compliance; however, not all ASVs are alike. The following list provides features of a first-rate ASV.

A first-rate ASV has:

1. A system for tuning scan engines. False positives hinder progress, but there is a fine line between tuning a scan engine for false positives and allowing vulnerabilities to pass the scan. A good ASV has an ongoing system for tuning scan engines to produce accurate results.
2. Customer support. 24/7 support is essential. Not having answers to questions about upcoming PCI deadlines because support departments are unavailable may result in merchant fines.
3. Manual verification of scan vulnerabilities. Agents manually verify vulnerabilities to ensure scan result accuracy.
4. Unlimited scans and retesting. Paying for rescanning adds up, but a good ASV retests at no cost.
5. Comprehensive scan engines. Multiple scan engines combine thorough tests for vulnerabilities that may otherwise lead to compromise.
6. In-depth scoping for accurate compliance. In-depth scoping, or discovering all aspects of the merchant’s card processing activities, ultimately reduces liability. This is because correct compliance recommendations are given to merchants seeking to become secure and compliant.
7. A renewal program. When PCI compliance validation expires, a smooth renewal program is essential to simplify the process.
8. The latest technology. A good ASV uses the best scanning technology available.
9. Engines configured to run light on systems. Scans shouldn’t overtake and bog down a merchant’s card processing environment.
10. Full PCI service, not just scanning. A good ASV keeps up to date with the latest vulnerabilities. Forensics investigators, penetration testers, and on-site auditors provide information about current merchant weaknesses. From that information, the ASV helps customers avoid similar liabilities.
11. Staff experience. All staff must have sufficient experience to provide the best recommendations for merchants and finely tune the vulnerability assessment.
12. More than the required base elements. A good ASV doesn’t settle with base PCI SSC requirements, but goes above and beyond to ensure accurate compliance and comprehensive security.