PCI Authorized Scanning Vendor (ASV)
Payment Card Industry Data Security Standards (PCI DSS), is a security standard established to protect cardholder information, be it from within the organization handling the card or from external parties. Compliance to PCI-DSS is mandatory for all organizations dealing with credit, debit and ATM cards, as defined by the PCI Security Standards Council (PCI-SSC).
To be considered compliant, your organization must adhere to all the conditions specified by PCI-DSS requirements, thus strengthening the security of the cardholder information you handle as an organization. One of those requirements (11.2.2), is to have an ASV conduct vulnerability scans against your externally visible devices and websites.
NCI’s ASV scanning services satisfy PCI Requirement 11.2.2 where quarterly external vulnerability scans must be performed by an Authorized Scanning Vendor (ASV). NCI is the ONLY Canadian based Authorized Scanning Vendor (ASV) AND Qualified Security Assessor (QSA), approved by the Payment Card Industry Security Standards Council (PCI SSC).
If your staff has the know-how to conduct their own scans, then NCI can take a backseat and just respond to your false positives and final report submissions. If you need a bit more help, NCI’s ASV scanners, working with our Manager Services support engineers, will take more of the workload making your external scanning obligations as minimal as possible. We’d love to do it all for you, but there are still some things you’ll have to do: specifying the devices to be scanned, fixing issues, and submitting reports to your bank.
Want to scan more frequently than your PCI quarterly obligations?
The NCI scanning engine will allow you to conduct unlimited scans against any combination of the external devices in your ASV subscription:
- Scan all your external devices
- Scan only the one device giving you an issue
- Continue to scan that one device until the issue is fixed
Each scan provides a full report as well as an online portal to review all vulnerabilities.
The NCI Approach:
Unlike other ASV solutions which are largely self-service, NCI’s solution is full service. We will help you through each step of the process:
- Initial setup, including inputting your cardholder data environment scope to ensure the correct assets are scanned
- Schedule required annual quarterly scans
- Provide you with knowledge to perform your own manual scans on-demand
- Demonstrate how to review your scans and submit false positives if necessary
- Monitor and review all scans and actively assess your submitted false positives to ensure accurate results
- Rescanning for any device that had failing results once mitigation is completed
- assist in configuring optional automatic submissions to your acquiring bank once your report has been attested
- Demonstrate how to access SAQ functionality
As external networks are at greater risk of compromise, quarterly external vulnerability scanning must be performed by a PCI SSC Approved Scanning Vendor (ASV). You already have enough to worry about, let NCI help you meet this obligation.