ASV scanner

ASV-scanner is a software and hardware complex that scans connection points of an organization’s internal network to Internet resources.

Scanning is performed in accordance with PCI DSS requirements. Organizations that provide this service must have the required status (PCI ASV).

ASV scanning is mandatory for all organizations that accept bank cards for payment – for example, offline and online stores.

ASV scanning is mandatory for all organizations that accept bank cards for payment – for example, offline and online retailers.

Scanning steps

The scanning procedure is conditionally divided into several stages.

• The customer prepares the enterprise infrastructure for scanning. Identifies the part of the network infrastructure that falls within the scope of the PCI DSS standard.
• The auditor performs the scan on the appointed day in accordance with the requirements of the standard. Uses specialized equipment that is certified to perform the scan.
• At the end of the process, the client is provided with a document on the results of the audit. It also provides recommendations on how to remediate vulnerabilities.

Scanning principle

ASV Scanner is provided as a subscription service. The customer registers on the service provider’s website and selects one of the service options.

In the next step, the customer sets a schedule for scanning. Typically, the procedure is performed once a quarter. The IP address of the site (if it is white) or the domain name is specified. After that, the customer pays for the service.

The scanner checks the specified addresses for vulnerabilities, risk level and other parameters specified in the PCI DSS standard. If vulnerabilities are found, the customer will be provided with a report on each problem detailing the risk, threat level, CVSS score, CVE code and how to fix the problem.

CVSS is an open-ended industry standard against which the threat level of each vulnerability is assessed. The CVSS score is the value assigned to a vulnerability based on the threat level.

CVE (Common Vulnerabilities and Exposures) is a global list of threats and vulnerabilities. Each entry is assigned a unique number (CVE code).

The report is valid for 90 calendar days. During this period, the client is obliged to eliminate the errors found and rescan. If there are no vulnerabilities, a certificate of information system compliance with PCI DSS requirements is issued.