Document Comparison
ASV_Program_Guide_v3.1.pdf
→
ASV_Program_Guide_v3.2.pdf
96% similar
53 → 51
Pages
20071 → 19960
Words
152
Content Changes
Content Changes
152 content changes. 53 administrative changes (dates, page numbers) hidden.
Added
p. 2
February 2010 1.0 Approved Scanning Vendors (ASV) Program Guide Reference Document 1.0 of the PCI (DSS) 1.2: this is the first release of the ASV Program Guide. Constructed by the ASV Taskforce and finalized by PCI SSC’s Technical Working Group (TWG) and approved by the PCI SSC Executive Committee.
Added
p. 36
Removal of the software by the scan customer If the software is needed for business, o The scan customer’s declared business need for the software. o The scan customer’s declaration that the software is implemented with strong security controls, as well as the details that comprise those controls. o Actions taken by the scan customer to secure the software, as well as the details that comprise those controls.
Added
p. 39
Determine whether the dispute can be validated remotely (from the ASV) and: o If remotely validated, update the scan report.
Removed
p. 2
• Anonymous (non-authenticated) key-exchange protocols
• Embedded links from out-of-scope domains
• Embedded links from out-of-scope domains
Modified
p. 2
Anonymous (non-authenticated) key-exchange protocols Embedded links from out-of-scope domains Insecure Services Unknown Services Virtualization Components Added guidance for aggregating multiple failing scan reports to total one passing scan report.
Modified
p. 2
Clarification of passing scan report being the initial scan or the result of multiple failing scans in Appendix A: Attestation of Scan Compliance.
Modified
p. 2
Allow ASVs to omit Low severity/non-compliance impacting vulnerabilities from Appendix B: ASV Scan Report Summary.
Modified
p. 2
Require ASVs to report all detected/open ports and services in Appendix C: Scan Report Vulnerability Details.
Removed
p. 4
• Payment Card Industry (PCI) Qualification Requirements for Approved Scanning Vendors (ASV)
PCI SSC updates PCI DSS requirements in accordance with a standards lifecycle management process. The ASV Program Guide may be updated when threats evolve, or as necessary to reflect changes to the PCI DSS.
The final published version of this document supersedes ASV Program Guide v3.0.
ASVs may begin using this document and the included report templates immediately, and must implement the requirements set forth in this document effective 1 July, 2018.
PCI SSC updates PCI DSS requirements in accordance with a standards lifecycle management process. The ASV Program Guide may be updated when threats evolve, or as necessary to reflect changes to the PCI DSS.
The final published version of this document supersedes ASV Program Guide v3.0.
ASVs may begin using this document and the included report templates immediately, and must implement the requirements set forth in this document effective 1 July, 2018.
Modified
p. 4
Requirement 11.2.2 of the PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) approved by PCI SSC. The PCI DSS provides the foundation for this and all other PCI DSS- related requirements and procedures.
PCI DSS Requirement 11.2.2 requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) approved by PCI SSC. PCI DSS provides the foundation for this and all other PCI DSS- related requirements and procedures.
Modified
p. 4
In regard to the ASV Program, the following additional documents are used in conjunction with the PCI DSS:
In regard to the ASV Program, the following additional documents are used in conjunction with PCI DSS:
Modified
p. 4
Payment Card Industry (PCI) Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms Payment Card Industry (PCI) Qualification Requirements for Approved Scanning Vendors (ASV)
Modified
p. 4
Note: The PCI DSS provides the specific technical requirements and assessment procedures used by merchants and service providers to validate PCI DSS compliance and document the assessment. PCI DSS Requirement 11.2.2 specifically requires quarterly external vulnerability scans that must be performed by an ASV. The ASV Qualification Requirements define the requirements that must be met by an ASV in order to perform PCI DSS quarterly external vulnerability scans for ASV Program purposes.
Note: PCI DSS provides the specific technical requirements and assessment procedures used by merchants and service providers to validate PCI DSS compliance and document the assessment. PCI DSS Requirement 11.2.2 specifically requires quarterly external vulnerability scans that must be performed by an ASV. The ASV Qualification Requirements define the requirements that must be met by an ASV in order to perform PCI DSS quarterly external vulnerability scans for ASV Program purposes.
Modified
p. 4
PCI SSC reserves the right to change, amend, or withdraw the PCI DSS and/or ASV Requirements at any time, and works closely with its community of Participating Organizations regarding such changes.
PCI SSC reserves the right to change, amend, or withdraw PCI DSS and/or ASV Requirements at any time, and works closely with its community of Participating Organizations regarding such changes.
Modified
p. 5
Scan customers benefit from a broad selection of ASVs and gain assurance that if they use ASV scan solutions, those solutions have been validated by an ASV Validation Lab as satisfying applicable PCI DSS requirements.
Modified
p. 5
Consumers gain assurance that merchants and service providers are receiving vulnerability scans from validated ASV scan solutions.
Modified
p. 5
Acquiring banks and Participating Payment Brands receive consistent reports to help demonstrate merchant and service provider compliance with applicable PCI DSS requirements.
Modified
p. 5
Technical requirements for ASV scan solutions Reporting requirements for ASV scan solutions Processes for determining scan customers’ compliance with PCI DSS external vulnerability scanning requirements using an ASV scan solution ASV testing and approval processes Quality assurance processes for ASVs Scan requirements and guidance for scan customers
Modified
p. 6
Operate the ASV scan solution. Work with scan customer to coordinate and resolve matters. Review and interpret scan results, as needed. Generate the scan report. Submit the scan report to the scan customer.
Removed
p. 8
• Fines or penalties for non-compliance 4.2 PCI SSC
• Maintains the ASV Program Guide and ASV Qualification Requirements (including the ASV Agreement)
• Provides training for ASV Companies and ASV Employees
• Evaluates ASV Company and ASV Employee qualifications to perform external vulnerability scans in accordance with PCI DSS and ASV Program requirements
• Maintains the List of Approved Scanning Vendors on the Website
• Maintains the ASV Program Guide and ASV Qualification Requirements (including the ASV Agreement)
• Provides training for ASV Companies and ASV Employees
• Evaluates ASV Company and ASV Employee qualifications to perform external vulnerability scans in accordance with PCI DSS and ASV Program requirements
• Maintains the List of Approved Scanning Vendors on the Website
Modified
p. 8
• ASVs, QSAs, and PCI SSC
•participate more directly inthe PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
•participate more directly in
• ASVs, QSAs, and PCI SSC
•participate more directly in PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
•participate more directly in PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
Modified
p. 8
The following describes the high-level roles and responsibilities of the stakeholders in the payment community as they relate to the PCI DSS and ASV Program.
The following describes the high-level roles and responsibilities of the stakeholders in the payment community as they relate to PCI DSS and ASV Program.
Modified
p. 8
Requirements, mandates, or dates for PCI DSS compliance Fines or penalties for non-compliance 4.2 PCI SSC
Modified
p. 8
Maintains the ASV Program Guide and ASV Qualification Requirements (including the ASV Agreement) Provides training for ASV Companies and ASV Employees Evaluates ASV Company and ASV Employee qualifications to perform external vulnerability scans in accordance with PCI DSS and ASV Program requirements Maintains the List of Approved Scanning Vendors on the Website Maintains a quality assurance program for ASVs 4.3 Approved Scanning Vendors An ASV is an organization with an ASV scan solution (i.e., a …
Modified
p. 8
Performing external vulnerability scans in accordance with PCI DSS Requirement 11.2.2, this document and other supplemental guidance published by PCI SSC.
Modified
p. 8
Maintaining the security and integrity of systems and tools used to perform such scans.
Modified
p. 8
Ensuring that such scans:
Modified
p. 9
Consulting with the scan customer to determine whether components found, but not provided by the scan customer, should be included in the scope of the scan.
Modified
p. 9
Providing a determination as to whether the scan customer’s components have met the scanning requirements.
Modified
p. 9
Providing adequate documentation within the scan report to demonstrate the compliance or non-compliance of the scan customer’s components with the scanning requirements.
Modified
p. 9
Submitting (to the scan customer) the ASV Scan Report Attestation of Scan Compliance cover sheet (an “Attestation of Scan Compliance”) and the scan report in accordance with the instructions of the scan customer’s acquirer(s) and/or Participating Payment Brand(s).
Modified
p. 9
Including required scan customer and ASV Company attestations in the scan report in accordance with this document and applicable ASV Program requirements.
Modified
p. 9
Retaining scan reports and related work papers and work product for three (3) years, as required by the ASV Qualification Requirements.
Modified
p. 9
Providing the scan customer with a means for disputing findings of scan reports.
Modified
p. 9
Maintaining an internal quality assurance process for its ASV Program-related efforts in accordance with this document and applicable ASV Program requirements.
Modified
p. 9
Configuring and maintaining their ASV testing laboratory environment and Test Bed in accordance with PCI SSC coordination and instructions.
Modified
p. 9
Assessing and scoring scan test reports submitted by scanning vendors upon completion of the scan test for the vendor’s candidate or approved ASV scan solution.
Modified
p. 9
Conducting debriefing sessions with the scanning vendor to provide the test results and feedback on the scan solution’s performance.
Modified
p. 9
Performing PCI DSS Assessments in accordance with PCI DSS, which includes confirming that PCI DSS Requirement 11.2.2 is “in place” and that the ASV and ASV scan solution were both on the list of Approved Scanning Vendors on the date when the respective scans were performed.
Modified
p. 9
Providing an opinion about whether the assessed entity meets applicable PCI DSS requirements in accordance with QSA Program requirements.
Modified
p. 9
Providing adequate documentation within the Report on Compliance (ROC) to demonstrate the assessed entity’s compliance with PCI DSS.
Removed
p. 10
• Submitting the ROC and the Attestation of Validation (signed by the QSA and in some cases, the assessed entity).
• Coordinating with the scan customer’s Internet service provider (ISP) and/or hosting providers to allow ASV scans. See Section 5.5.2, “Internet Service Providers and Hosting Providers.”
• Attesting to proper scoping and network segmentation (if IP addresses or other components are excluded from scan scope) within the ASV scan solution. See Section 7.3, “Scan Customer and ASV Attestations.”
• Coordinating with the scan customer’s Internet service provider (ISP) and/or hosting providers to allow ASV scans. See Section 5.5.2, “Internet Service Providers and Hosting Providers.”
• Attesting to proper scoping and network segmentation (if IP addresses or other components are excluded from scan scope) within the ASV scan solution. See Section 7.3, “Scan Customer and ASV Attestations.”
Modified
p. 10
Maintaining an internal quality assurance process for its QSA program-related efforts.
Modified
p. 10
Maintaining compliance with PCI DSS at all times, which includes properly maintaining the security of their Internet-facing systems.
Modified
p. 10
Selecting an ASV from the list of Approved Scanning Vendors from the Website to conduct quarterly external vulnerability scanning in accordance with PCI DSS Requirement 11.2.2 and this document using an ASV scan solution.
Modified
p. 10
Performing due diligence in its ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s qualification, capability, experience, and level of trust in performing scanning services required by PCI DSS.
Modified
p. 10
To the degree deemed appropriate by the scan customer, monitoring Internet-facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained.
Modified
p. 10
Defining the scope of external vulnerability scanning, which includes: o Providing the IP addresses and/or domain names of all Internet-facing systems to the ASV so the ASV can properly conduct a full scan. o Implementing proper network segmentation for any external-facing components excluded from the scope.
Modified
p. 10
Ensuring that devices do not interfere with the ASV scan, including: o Configuring active protection systems so they do not interfere with the ASV’s scan, as required by this document. See Section 5.6, “ASV Scan Interference.” o Coordinating with the ASV if the scan customer has load balancers in use. See “Account for Load Balancers” in Section 6.1.
Removed
p. 11
• Providing sufficient documentation to the ASV to fully enable the ASV’s evaluation of any compensating controls implemented or maintained by the scan customer. See Section 7.8, “Addressing Vulnerabilities with Compensating Controls.”
• Reviewing the scan report and correcting any noted vulnerabilities that result in a non- compliant scan.
• Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
• Reviewing the scan report and correcting any noted vulnerabilities that result in a non- compliant scan.
• Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
Modified
p. 11
Arranging with the ASV to re-scan any non-compliant systems to verify that all “High” and “Medium” severity vulnerabilities have been resolved, to obtain a passing quarterly scan. See Table 2 of Section 6, “Vulnerability Severity Levels Based on the NVD and CVSS.” Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
Modified
p. 11
Providing feedback on ASV performance in accordance with the ASV Feedback Form (available on the Website).
Removed
p. 12
• Reporting/remediation
Modified
p. 12
Note: To be considered compliant with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2, the scan customer infrastructure must be tested and shown to be compliant, in accordance with this document and applicable ASV Program requirements. Compliance with this external vulnerability scanning requirement only represents compliance with PCI DSS Requirement 11.2.2, and does not represent or indicate compliance with any other PCI DSS requirement or component.
Note: To be considered compliant with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2, the scan customer infrastructure must be tested and shown to be compliant, in accordance with this document and applicable ASV Program requirements. Compliance with this external vulnerability scanning requirement only represents compliance with PCI DSS Requirement 11.2.2, and does not represent or indicate compliance with any other PCI DSS requirement.
Removed
p. 14
• For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Modified
p. 14
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Removed
p. 16
• Domains for web servers
• Domains for mail servers
• Domains used in name-based virtual hosting
• Web server URLs to "hidden" directories that cannot be reached by crawling the website from the home page
• Domains for mail servers
• Domains used in name-based virtual hosting
• Web server URLs to "hidden" directories that cannot be reached by crawling the website from the home page
Modified
p. 16
Domains for web servers Domains for mail servers Domains used in name-based virtual hosting Web server URLs to "hidden" directories that cannot be reached by crawling the website from the home page Any other public-facing hosts, virtual hosts, domains or domain aliases The scan customer must define and attest to its scan scope prior to the ASV finalizing the scan report. The scan customer is ultimately responsible for defining the appropriate scope of the external …
Modified
p. 16
Note: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following:
Note: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.“System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following:
Modified
p. 16
Any other component or device located within or connected to the CDE.
Modified
p. 17
Provide physical segmentation between the system components that store, process, or transmit cardholder data and systems that do not.
Modified
p. 17
Employ appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments.
Modified
p. 18
Include any IP address or domain previously provided to the ASV and still owned or used by the scan customer that has been removed at the request of the scan customer.
Modified
p. 18
For each domain provided, look up the IP address of the domain to determine whether it was already provided by the scan customer.
Modified
p. 18
•such as “www,” “mail,” etc.
For each domain provided, perform DNS forward and reverse lookups of common host names
•such as “www,” “mail,” etc.
•such as “www,” “mail,” etc.
Modified
p. 18
Identify any IP addresses found during MX record DNS lookup.
Modified
p. 18
Identify any IP addresses outside of scope reached via web redirects from in-scope web servers (includes all forms of redirect including: JavaScript, Meta redirect and HTTP 30x codes).
Modified
p. 18
Match domains found during crawling to user-supplied domains to find undocumented domains belonging to the scan customer.
Modified
p. 19
Intrusion detection systems (IDS) that log events, track context or have a multifaceted approach to detecting attacks, but action is limited to alerting (there is no intervention).
Modified
p. 19
Web application firewalls (WAF) that detect and block SQL injections, but let non-attack traffic from the same source pass.
Modified
p. 19
Intrusion prevention systems (IPS) that drop all occurrences of a certain attack, but let non- attack traffic from the same source pass.
Modified
p. 19
Firewalls that are configured to always block certain ports, but always keep other ports open.
Modified
p. 19
VPN servers that reject entities with invalid credentials but permit entities with valid credentials.
Modified
p. 19
Antivirus software that blocks, quarantines, or deletes all known malware based on a database of defined “signatures” but permits all other perceived clean content.
Modified
p. 19
Logging/monitoring systems, event and log aggregators, reporting engines, etc.
Removed
p. 20
• Reapply the previous configurations as soon as the ASV scan is complete.
Modified
p. 20
Agree on a time for the ASV scan window to minimize how long changed configurations are in place.
Modified
p. 20
Conduct the ASV scan during a maintenance window under the scan customer’s standard change control processes, with full monitoring during the ASV scan.
Modified
p. 20
Configure the active protection systems to either: o Monitor and log, but not to act against, the originating IP address(es) of the ASV, or o Allow non-attack traffic to pass consistently (even if the non-attack traffic immediately follows attack traffic) Reapply the previous configurations as soon as the ASV scan is complete.
Removed
p. 21
• Perform Host Discovery The ASV scan solution must make a reasonable attempt to identify live systems, including live systems that do not respond to ICMP echo (“ping”) requests.
Modified
p. 21
Be Non-disruptive The ASV scan solution must not be configured with disruptive testing methods enabled that would result in a system crash or reboot, or interfere with or change Domain Name System (DNS) servers, routing, switching, or address resolution. Software (such as root kits) must not be installed unless part of the scan solution and pre-approved by the scan customer.
Modified
p. 21
The following are examples of some of the tests that are not permitted: o Denial of service (DoS) o Buffer overflow exploit o Brute-force attack resulting in an account lockout or password reset o Excessive usage of available communication bandwidth
The following are examples of some of the tests that are not permitted: o Denial of service (DoS) o Buffer overflow exploit o Brute-force attack resulting in an account lockout or password reset o Excessive usage of available communication bandwidth Perform Host Discovery The ASV scan solution must make a reasonable attempt to identify live systems, including live systems that do not respond to ICMP echo (“ping”) requests.
Removed
p. 22
• Perform OS and Service Fingerprinting Fingerprinting can reduce the load on the scan customer environment by eliminating tests that are not relevant to the particular environment. Additionally, accurate operating system and service version identification can help scan customers understand their risks and prioritize remediation activities.
Modified
p. 22
Have Platform Independence Customer platforms are diverse and each platform has strengths and weaknesses. The ASV scan solution must cover all commonly used platforms.
Modified
p. 22
Be Accurate In addition to confirmed vulnerabilities, ASVs must report all occurrences of vulnerabilities that have a reasonable level of identification certainty. When the presence of a vulnerability cannot be determined with certainty, the potential vulnerability must be reported as such. Potential vulnerabilities must be scored the same as confirmed vulnerabilities and must have the same effects on compliance determination.
Modified
p. 22
Account for Load Balancers If a scan customer has deployed load balancers, the scan may only see part of the configuration beyond the load balancer. In these cases, the following applies: o Localized Load Balancers: The ASV must obtain documented assurance from the scan customer that the infrastructure behind the load balancer(s) is synchronized in terms of configuration.
Modified
p. 22
If the scan customer is unable to validate a synchronized environment behind their load balancers, the ASV must disclose the inconsistency with the following Special Note1 on the scan report:
If the scan customer is unable to validate a synchronized environment behind their load balancers, the ASV must disclose the inconsistency with the following Special Note to Scan Customer1 on the scan report:
Modified
p. 22
Note to customer: As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS. o External Load Balancing Services: The ASV must take into account the use of load balancing services external to the scan customer’s environment that direct traffic globally or regionally based upon source IP address location. Depending …
Special Note to Scan Customer: As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by PCI DSS. o External Load Balancing Services: The ASV must take into account the use of load balancing services external to the scan customer’s environment that direct traffic globally or regionally based upon source IP address location. …
Modified
p. 24
Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Modified
p. 25
Detect the presence of built-in or default accounts and passwords, not by using brute-force or dictionary attacks, but rather by concentrating on known built-in or default accounts using default passwords•for example, as published by software vendors or vulnerability reference sources. Any such vulnerability must be marked as an automatic failure by the ASV.
Modified
p. 25
Report on services that are available without authentication•for example, services that require a username but do not require a password.
Modified
p. 26
Unvalidated parameters that lead to SQL injection attacks (which must be marked as an automatic failure) Cross-site scripting (XSS) flaws (which must be marked as an automatic failure) Directory traversal vulnerabilities (which must be marked as an automatic failure) HTTP response splitting/header injection (which must be marked as an automatic failure) Information leakage, including:
Modified
p. 28
Per PCI DSS, strong cryptography and security protocols must be deployed•see the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms (available on the Website) for additional details on “Strong Cryptography.” Also refer to industry best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 rev 1 and SP 800-57, OWASP, etc.)
Per PCI DSS, strong cryptography and security protocols must be deployed•see PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms (available on the Website) for additional details on “Strong Cryptography.” Also refer to industry best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 rev 1 and SP 800-57, OWASP, etc.)
Modified
p. 28
The ASV scan solution must:
• Detect the presence and versions of cryptographic protocols on a component or service • Detect the encryption algorithms and encryption key strengths used in all cryptographic protocols for each component or service • Detect the signature-signing algorithms used for all server certificates • Detect and report on certificate validity, authenticity and expiration date • Detect and report on whether the certificate Common Name or wildcard matches the server hostname. Note: When scanning systems by IP …
• Detect
The ASV scan solution must detect the following and report any PCI DSS compliance- affecting vulnerabilities: Tthe presence and versions of cryptographic protocols on a component or service The encryption algorithms and encryption key strengths used in all cryptographic protocols for each component or service The signature-signing algorithms used for all server certificates Certificate validity, authenticity and expiration date Whether the certificate Common Name or wildcard matches the server hostname. Note: When scanning systems by …
Modified
p. 29
Note to scan customer: Due to increased risk of “man in the middle” attacks when anonymous (non- authenticated) key-agreement protocols are used, 1) justify the business need for this protocol or service to the ASV, or 2) confirm it is disabled/removed. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Due to increased risk of “man in the middle” attacks when anonymous (non- authenticated) key-agreement protocols are used, 1) justify the business need for this protocol or service to the ASV, or 2) confirm it is disabled/removed. Consult your ASV if you have questions about this Special Note.
Modified
p. 29
Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, 1) justify the business need for this software to the ASV and confirm it is implemented securely, or 2) confirm it is disabled/ removed. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Due to increased risk to the cardholder data environment when remote access software is present, 1) justify the business need for this software to the ASV and confirm it is implemented securely, or 2) confirm it is disabled/ removed. Consult your ASV if you have questions about this Special Note.
Modified
p. 30
Note to scan customer: Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Consult your ASV if you have questions about this Special Note.
Modified
p. 30
Note to scan customer: Due to increased risk to the cardholder data environment when embedded links redirect traffic to domains outside the merchant’s CDE scope, 1) confirm that this code is obtained from a trusted source, that the embedded links redirect to a trusted source, and that the code is implemented securely, or 2) confirm that the code has been removed. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Due to increased risk to the cardholder data environment when embedded links redirect traffic to domains outside the merchant’s CDE scope, 1) confirm that this code is obtained from a trusted source, that the embedded links redirect to a trusted source, and that the code is implemented securely, or 2) confirm that the code has been removed. Consult your ASV if you have questions about this Special Note.
Modified
p. 30
Note to scan customer: Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Insecure services and industry- deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Modified
p. 31
Note to scan customer: Unidentified services have been detected. Due to increased risk to the cardholder data environment, identify the service, then either 1) justify the business need for this service and confirm it is securely implemented, or 2) identify the service and confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Unidentified services have been detected. Due to increased risk to the cardholder data environment, identify the service, then either 1) justify the business need for this service and confirm it is securely implemented, or 2) identify the service and confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Modified
p. 32
CVSS Score Result Guidance 7.0 through High Severity Fail To achieve a passing ASV scan, these vulnerabilities must be corrected and the affected systems must be re-scanned after the corrections (with a report(s) that shows a passing ASV scan).
CVSS Score Result Guidance 7.0 through 10.0 High Severity Fail To achieve a passing ASV scan, these vulnerabilities must be corrected and the affected systems must be re-scanned after the corrections (with a report(s) that shows a passing ASV scan).
Modified
p. 33
In this case, the ASV must provide its own risk score using the CVSS Calculator and include, where possible, references to other external sources of information about the vulnerability.
1. The vulnerability is not included in the NVD. In this case, the ASV must provide its own risk score using the CVSS Calculator and include, where possible, references to other external sources of information about the vulnerability.
Modified
p. 33
3. The vulnerability is purely a denial-of-service (DoS) vulnerability.
3. The vulnerability is purely a denial-of-service (DoS) vulnerability. In the case of DoS vulnerabilities (e.g., where the vulnerability has both a CVSS Confidentiality Impact of “None” and a CVSS Integrity Impact of “None”), the vulnerability must not be ranked as a failure.
Modified
p. 33
4. The vulnerability violates PCI DSS and may be a higher risk than noted in NVD. In this case, the ASV must score the presence of certain types of vulnerabilities as automatic failures due to the risk of the vulnerability and the possibility to exploit the cardholder data environment. See Table 1: Required Components for PCI DSS Vulnerability Scanning for examples of vulnerabilities that are considered violations of PCI DSS and must therefore be scored as automatic failures.
Removed
p. 34
• Page orientation of the report (landscape or portrait)
• Addition of the ASV’s logo
• Addition of ASV-specific clauses as long as the added language does not contradict or replace other Appendix A or B language or language within the ASV Program Guide
• Font style, sizes, and colors, and page spacing
• Addition of the ASV’s logo
• Addition of ASV-specific clauses as long as the added language does not contradict or replace other Appendix A or B language or language within the ASV Program Guide
• Font style, sizes, and colors, and page spacing
Modified
p. 34
All of the data elements and supporting text will exactly match that provided in the templates; The required information will be presented in an order that exactly matches the provided templates; The presentation of information is similar to that which is provided in the templates; and All variables (for example, "Customer Name" or "Date”) and all fields and check boxes will be completed by the ASV.
Removed
p. 36
• The scan customer’s declared business need for the software.
• The scan customer’s declaration that the software is implemented with strong security controls, as well as the details that comprise those controls.
• Actions taken by the scan customer
•including removal
•to secure the software, as well as the details that comprise those controls.
• The scan customer’s declaration that the software is implemented with strong security controls, as well as the details that comprise those controls.
• Actions taken by the scan customer
•including removal
•to secure the software, as well as the details that comprise those controls.
Modified
p. 36
Note: The ASV must ensure that an applicable and relevant scan customer declaration is provided for each Special Note before issuing a passing scan report. The ASV must declare a report as FAILED until all applicable scan customer declarations have been obtained and reviewed by the ASV.
Note: The ASV must ensure that an applicable and relevant scan customer declaration is provided for each Special Note to Scan Customers before issuing a passing scan report. The ASV must declare a report as FAILED until all applicable scan customer declarations have been obtained and reviewed by the ASV.
Modified
p. 36
The use of a Special Note does not result in an automatic failure on the scan report, nor does it override any CVSS scoring.
The use of a Special Note to Scan Customers does not result in an automatic failure on the scan report, nor does it override any CVSS scoring.
Modified
p. 36 → 37
Scan customer has implemented network segmentation if any components are excluded from PCI DSS scope.
Removed
p. 37
• A failing scan for which the scan customer disputes the results
• A failing scan that the scan customer does not dispute
• A failing scan due to scan interference
• A failing scan that the scan customer does not dispute
• A failing scan due to scan interference
Modified
p. 37
Scan customer has provided accurate and complete evidence to support any disputes over scan results.
Modified
p. 37
Acknowledgement that ASV scan results only indicate whether scanned systems are compliant with the external quarterly vulnerability scan requirement (PCI DSS 11.2.2) and are not an indication of overall compliance with any other PCI DSS requirements.
Modified
p. 37
The ASV Program Guide and other supplemental guidance from PCI SSC was followed for this scan.
Modified
p. 37
ASV’s practices for this scan included a Quality Assurance process that:
Modified
p. 37
• Scan customers submit passing scan reports according to Section 7.9, “Compliance Reporting.”
• Scan customers submit passing scan reports according to Section 7.9, “Compliance Reporting.” A failing scan for which the scan customer disputes the results
Modified
p. 37
• The scan customer and ASV resolve any scan disputes or exceptions according to Section 7.7, “Managing False Positives and Other Disputes.”
• The scan customer and ASV resolve any scan disputes or exceptions according to Section 7.7, “Managing False Positives and Other Disputes.” A failing scan that the scan customer does not dispute
Modified
p. 37
• The scan customer resolves failing vulnerabilities according to Section 7.5, “Resolving Failing Scans.”
• The scan customer resolves failing vulnerabilities according to Section 7.5, “Resolving Failing Scans.” A failing scan due to scan interference
Modified
p. 37 → 38
Scan customer corrects noted failing vulnerabilities.
Modified
p. 38
Scan customer contacts ASV to initiate another scan.
Removed
p. 39
• Attest within the ASV scan solution that the evidence is accurate and complete.
Modified
p. 39
Vulnerabilities that are incorrectly reported (false positives) Vulnerabilities that have a disputed CVSS Base score Vulnerabilities for which a compensating control is in place (See Section 7.8, “Addressing Vulnerabilities with Compensating Controls”) Exceptions in the scan report Conclusions of the scan report List of components designated by scan customer as segmented from the CDE Inconclusive ASV scans or ASV scans that cannot be completed due to scan interference
Modified
p. 39
The ASV must have a written procedure in place for handling disputes, and the scan customer must be clearly informed on how to report a dispute to the ASV, including how to appeal the findings of the dispute investigation with the ASV. The ASV must explicitly inform the scan customer that disputes in scan results are NOT to be submitted to the PCI SSC.
The ASV must have a written procedure in place for handling disputes, and the scan customer must be clearly informed on how to report a dispute to the ASV, including how to appeal the findings of the dispute investigation with the ASV. The ASV must explicitly inform the scan customer that disputes in scan results are NOT to be submitted to PCI SSC.
Modified
p. 39
The ASV is REQUIRED to investigate false positives with a CVSS Base score at or above 4.0 (failing score).
Modified
p. 39
The ASV is ENCOURAGED to investigate false positives with a CVSS Base score at or below 3.9 (passing score).
Modified
p. 39
The ASV is REQUIRED to investigate inconclusive scans disputed by the scan customer.
Modified
p. 39
Provide written supporting evidence for disputed findings. Scan customers should submit system-generated evidence such as screen captures, configuration files, system versions, file versions, list of installed patches, etc. Such system-generated evidence must be accompanied by a description of when, where and how they were obtained (chain of evidence) Attest within the ASV scan solution that the evidence is accurate and complete.
Modified
p. 40
Document the ASV’s conclusion and either clearly describe, reference or include the supporting evidence in the report under “Exceptions, False Positives, or Compensating Controls” as noted in Appendix B: ASV Scan Report Summary.
Modified
p. 40
Not remove disputes from a scan report.
Modified
p. 40
Not allow the scan customer to edit the scan report.
Modified
p. 40
Not carry dispute findings forward from one quarterly scan to the next by the ASV. Dispute evidence must be verified and resubmitted by the scan customer, and evaluated again by the ASV, for each quarterly scan.
Modified
p. 40
Allow evaluation of disputes only by ASV Employees who have been qualified by PCI SSC per Section 3.2, "ASV Employee • Skills and Experience" in the document Qualification Requirements for Approved Scanning Vendors (ASVs).
Modified
p. 40
Include the name of the ASV Employee who handled each exception within the scan report.
Modified
p. 40
The ASV must assess the relevance and applicability of the compensating controls to meet the risk presented by the vulnerability.
Modified
p. 40
The ASV’s conclusion must be documented in the scan report under “Exceptions, False Positives, or Compensating Controls” as noted in Appendix B: ASV Scan Report Summary.
Modified
p. 40
The scan customer must not be permitted to edit the scan report.
Modified
p. 40
The ASV scan must not reduce the search space of any scan by discarding vulnerabilities resolved by compensating controls.
Modified
p. 41
The QA process may be performed automatically or manually. Automatic QA processes must include random sampling of reports for manual review on a regular basis.
Modified
p. 41
The QA process must detect potential connectivity issues between the scan solution and the target network, including those resulting from link failure or active security measures such as those implemented in active protection systems.
Modified
p. 41
The QA process must perform basic sanity tests to detect obvious inconsistencies in findings.
Modified
p. 41
Intentionally deciding not to scan relevant components.
Modified
p. 41
Operating a different scan solution or methodology than what was validated during the ASV lab scan test.
Modified
p. 41
Failure to maintain (and provide evidence to PCI SSC) specified insurance requirements.
Modified
p. 41
Unqualified professionals operating the ASV scan solution and/or reviewing results.
Modified
p. 41
Failure to successfully complete annual validation against the ASV Validation Labs Test Bed.
Modified
p. 42
Removing components or applications from scope that may impact cardholder data.
Modified
p. 42
Independent forensic investigations performed by reputable, qualified experts conclusively demonstrating that cardholder data was compromised, the breach occurred on systems or by system components evaluated by the ASV, and the breach occurred as a direct result of the ASV’s failure to properly scan or report the systems or system components.
Modified
p. 45
(ASV name) attests that the PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable), and 4) active scan interference. This report and any exceptions were reviewed by (ASV reviewer name).
(ASV name) attests that PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable), and 4) active scan interference. This report and any exceptions were reviewed by (ASV reviewer name).
Removed
p. 47
Component Vulnerabilities Noted per Component 5 CVSS Score 7 Compliance Status Exceptions, False Positives, or Compensating Controls 8 (Noted by the ASV for this vulnerability) Pass Fail Consolidated Solution/Correction Plan for above Component:
Part 3b. Special Notes by Component 4 Component Special Note 9 Item Noted 10 Scan customer’s description of action taken and declaration that software is either implemented securely or removed Part 3c. Special Notes
• Full Text Part 4a. Scan Scope Submitted by Scan Customer for Discovery IP Addresses/ranges/subnets, domains, URLs, etc.
Part 3b. Special Notes by Component 4 Component Special Note 9 Item Noted 10 Scan customer’s description of action taken and declaration that software is either implemented securely or removed Part 3c. Special Notes
• Full Text Part 4a. Scan Scope Submitted by Scan Customer for Discovery IP Addresses/ranges/subnets, domains, URLs, etc.
Modified
p. 50 → 49
Part 1. Scan Information Scan Customer Company: ABC Industries ASV Company: AwesomeScan Date scan was completed: 1 March, 2018 Scan expiration date: 30 May, 2018 Part 2. Component 4 Compliance Summary Component: w.x.y.116 Pass Fail Component: w.x.y.117, www. company1.com Pass Fail Component: w.x.y.118, www.company1.net Pass Fail Component: w.x.y.119, vpn.company1.com Pass Fail Component: w.x.y.119, remote.company1.com Pass Fail Component: w.x.y.120, mail.company1.com Pass Fail Part 3a. Vulnerabilities Noted for each Component 4 ASV may choose to omit vulnerabilities that do not impact compliance …
Part 1. Scan Information Scan Customer Company: ABC Industries ASV Company: AwesomeScan Date scan was completed: 1 March, 2022 Scan expiration date: 30 May, 2022 Part 2. Component 4 Compliance Summary Component: w.x.y.116 Pass Fail Component: w.x.y.117, www. company1.com Pass Fail Component: w.x.y.118, www.company1.net Pass Fail Component: w.x.y.119, vpn.company1.com Pass Fail Component: w.x.y.119, remote.company1.com Pass Fail Component: w.x.y.120, mail.company1.com Pass Fail Part 3a. Vulnerabilities Noted for each Component 4 ASV may choose to omit vulnerabilities that do not impact compliance …
Modified
p. 51 → 50
Part 3b. Special Notes by Component Component Special Note 9 Item Noted 10 Scan customer’s description of action taken and declaration that software is either implemented securely or removed w.x.y.116 HTTP directory listing Web Server All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 VPN detected Remote Access Software The VPN service is essential for conducting business and used to connect remote offices. The VPN service is securely implemented per vendor documentation and uses strong cryptography …
Part 3b. Special Notes by Component Component Special Note to Scan Customer 9 Item Noted Scan customer’s description of action taken and declaration that software is either implemented securely or removed w.x.y.116 HTTP directory listing Web Server All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 VPN detected Remote Access Software The VPN service is essential for conducting business and used to connect remote offices. The VPN service is securely implemented per vendor documentation and uses …
Modified
p. 51 → 50
Part 3c. Special Notes
• Full Text HTTP directory Listing Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note.
• Full Text HTTP directory Listing Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note.
Part 3c. Special Notes
• Full Text 10 HTTP directory Listing Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note.
• Full Text 10 HTTP directory Listing Note to scan customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note.