Document Comparison
ASV-Program-Guide-v4.0-r1.pdf
→
ASV-Program-Guide-v4.0r2.pdf
91% similar
54 → 55
Pages
20360 → 20759
Words
10
Content Changes
From Revision History
- December 2022 © 2006 – 2022 PCI Security Standards Council, LLC. All Rights Reserved. Page 2 Date
Content Changes
10 content changes. 46 administrative changes (dates, page numbers) hidden.
Added
p. 33
Malicious individuals exploit vulnerabilities in these servers and their scripts to gain access to applications and internal databases that potentially store, process, or manage access to account data.
Permitting directory browsing on a web server increases security risk; for example, it may expose file system contents or provide unintended access to sensitive data.
Because these servers are accessible from the public Internet, scanning for vulnerabilities is essential.
The ASV scan solution must be able to test for all known vulnerabilities and configuration issues on web servers.
The ASV scan solution must also be able to scan the website and verify that directory browsing is not possible on the server.
Positive identification of directory browsing must be reported and disclosed with the following Special Note to Scan Customer:
Special Note to Scan Customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) …
Permitting directory browsing on a web server increases security risk; for example, it may expose file system contents or provide unintended access to sensitive data.
Because these servers are accessible from the public Internet, scanning for vulnerabilities is essential.
The ASV scan solution must be able to test for all known vulnerabilities and configuration issues on web servers.
The ASV scan solution must also be able to scan the website and verify that directory browsing is not possible on the server.
Positive identification of directory browsing must be reported and disclosed with the following Special Note to Scan Customer:
Special Note to Scan Customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) …
Added
p. 34
• If the NVD entry for a specific CVE identifier includes a CVSSv3.1 score, the ASV must include the published CVSSv3.1 score in the report.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
• Finally, if the NVD entry for the CVE identifier does not include any CVSS score (or there is no NVD entry for the CVE identifier), then the ASV must calculate a base score using CVSSv3.1.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
• Finally, if the NVD entry for the CVE identifier does not include any CVSS score (or there is no NVD entry for the CVE identifier), then the ASV must calculate a base score using CVSSv3.1.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 4.0 Revision 1
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 4.0 Revision 2
Modified
p. 2 → 3
Added new scan component: Payment page scripts that are loaded and executed in the consumer’s browser (see Table 1).Clarified the use of the Special Note to Scan Customer in Table 1, section 7.2, and Appendix B Part 3b Fixed footnote in Appendix B
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
Added new scan component: Payment page scripts that are loaded and executed in the consumer’s browser (see Table 1). Clarified the use of the Special Note to Scan Customer in Table 1, section 7.2, and Appendix B Part 3b Fixed footnote in Appendix B
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
Modified
p. 33 → 34
1. The Common Vulnerability Scoring System (CVSS) version 2.0, which provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10. The CVSS Base Score must, where available, be used by ASVs in computing PCI DSS compliance scoring.
1. The Common Vulnerability Scoring System (CVSS) provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10.
Modified
p. 33 → 34
2. The National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability. ASVs should use the CVSS scores whenever they are available.
2. The National Vulnerability Database (NVD) is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability.
Modified
p. 35 → 36
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS v3.0 Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Modified
p. 37 → 38
Vulnerability Details generation and submission o The ASV Scan Vulnerability Details must be submitted with the Attestation of Scan Compliance cover sheet, and can optionally be submitted with the ASV Scan Report Summary at acquirer’s or Participating Payment Brand’s discretion.
Vulnerability Details generation and submission o The ASV Scan Vulnerability Details must be submitted with the Attestation of Scan Compliance cover sheet and can optionally be submitted with the ASV Scan Report Summary at acquirer’s or Participating Payment Brand’s discretion.
Modified
p. 52 → 53
Part 3b. Special Notes by Component Component Special Note to Scan Customer 9 Item Noted Scan customer’s description of action taken and declaration that software is either implemented securely or removed w.x.y.116 Web Servers HTTP directory browsing (Web application: port 80/tcp) All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 Remote Access VPN detected (OpenVPN: port 500/udp) The VPN service is essential for conducting business and used to connect remote offices. The VPN service is securely …
Part 3b. Special Notes to Scan Customer by Component 4 Component Special Note to Scan Customer 9 Item Noted Per section 7.2 of the ASV Program Guide, scan customer’s description of action taken and declaration that software is either needed for business and implemented securely or removed w.x.y.116 Web Servers HTTP directory browsing (Web application: port 80/tcp) All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 Remote Access VPN detected (OpenVPN: port 500/udp) The VPN service …
Modified
p. 53 → 54
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …