Document Comparison
ASV-Program-Guide-v3.2r1.pdf
→
ASV-Program-Guide-v4.0-r1.pdf
74% similar
53 → 54
Pages
20238 → 20360
Words
95
Content Changes
Content Changes
95 content changes. 54 administrative changes (dates, page numbers) hidden.
Added
p. 2
Added new scan component: Payment page scripts that are loaded and executed in the consumer’s browser (see Table 1).Clarified the use of the Special Note to Scan Customer in Table 1, section 7.2, and Appendix B Part 3b Fixed footnote in Appendix B
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
September 2022 4.0 r1 Updates to Table 1: Table header updated, alphabetized the list by Scan Component, and updated Scan Component “Payment page scripts that are loaded and executed in the consumer’s browser” to clarify ASVs must report a special note to the scan customer if such scripts are detected.
• moved Part 3b’s footnote 9 from “Item Noted” column to “Special Note to Scan Customer” column
September 2022 4.0 r1 Updates to Table 1: Table header updated, alphabetized the list by Scan Component, and updated Scan Component “Payment page scripts that are loaded and executed in the consumer’s browser” to clarify ASVs must report a special note to the scan customer if such scripts are detected.
Added
p. 6
CDE Acronym for "Cardholder Data Environment.” Defined in Payment Card Industry Data Security Standard Requirements and Testing Procedures, Appendix G: PCI DSS Glossary of Terms, Abbreviations, and Acronyms.
Network security controls (NSC) Network security controls include firewalls, routers, and other network security technologies that act as network policy enforcement points and typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.
Network security controls (NSC) Network security controls include firewalls, routers, and other network security technologies that act as network policy enforcement points and typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.
Added
p. 13
• At least once every three months.
• By a PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
11.3.2.b Examine the ASV scan report results from each scan and rescan run in the last 12 months to verify that vulnerabilities are resolved and the ASV Program Guide requirements for a passing scan are met.
• By a PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
11.3.2.b Examine the ASV scan report results from each scan and rescan run in the last 12 months to verify that vulnerabilities are resolved and the ASV Program Guide requirements for a passing scan are met.
Added
p. 16
Note: The PCI DSS security requirements apply to:
1. The cardholder data environment (CDE), which is comprised of:
• System components, people, and processes that store, process, and transmit cardholder data or sensitive authentication data, and,
• System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
2. System components, people, and processes that could impact the security of the CDE.
“System components” include network devices, servers, computing devices, virtual components, and software. Examples of system components include but are not limited to:
• Systems that store, process, or transmit account data (for example, payment terminals, authorization systems, clearing systems, payment middleware systems, payment back-office systems, shopping cart and store front systems, payment gateway/switch systems, fraud monitoring systems).
• Systems that provide security services (for example, authentication servers, access control servers, security information and event management (SIEM) systems, physical security systems (for example, badge …
1. The cardholder data environment (CDE), which is comprised of:
• System components, people, and processes that store, process, and transmit cardholder data or sensitive authentication data, and,
• System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
2. System components, people, and processes that could impact the security of the CDE.
“System components” include network devices, servers, computing devices, virtual components, and software. Examples of system components include but are not limited to:
• Systems that store, process, or transmit account data (for example, payment terminals, authorization systems, clearing systems, payment middleware systems, payment back-office systems, shopping cart and store front systems, payment gateway/switch systems, fraud monitoring systems).
• Systems that provide security services (for example, authentication servers, access control servers, security information and event management (SIEM) systems, physical security systems (for example, badge …
Added
p. 17
See the section titled “Segmentation” in the PCI DSS Requirements and Testing Procedures for more details.
Added
p. 23
In addition to reporting any identified anonymous/non-authenticated cipher suites in the cardholder data environment, the ASV scan solution must note the presence of such services with the following Special Note to Scan Customer:
Special Note to Scan Customer: Due to increased risk of “man in the middle” attacks when anonymous (non-authenticated) key- agreement protocols are used, 1) justify the business need for this protocol or service to the ASV, or 2) confirm it is disabled/removed. Consult your ASV if you have questions about this Special Note.
Malicious individuals exploit vulnerabilities in these servers and scripts to gain access to applications or internal databases that potentially store, process or manage access to account data.
The ASV scan solution must be able to detect and report all known, remotely-detectable backdoor applications. The presence of any such malware, including rootkits, backdoors, and Trojan horse programs must be marked as an automatic failure by the ASV.
Special Note to Scan Customer: Due to increased risk of “man in the middle” attacks when anonymous (non-authenticated) key- agreement protocols are used, 1) justify the business need for this protocol or service to the ASV, or 2) confirm it is disabled/removed. Consult your ASV if you have questions about this Special Note.
Malicious individuals exploit vulnerabilities in these servers and scripts to gain access to applications or internal databases that potentially store, process or manage access to account data.
The ASV scan solution must be able to detect and report all known, remotely-detectable backdoor applications. The presence of any such malware, including rootkits, backdoors, and Trojan horse programs must be marked as an automatic failure by the ASV.
Added
p. 24
Built-in Accounts Built-in, or vendor default accounts and passwords, are commonly used by hardware and software vendors to allow the customer initial access to the product.
Note: PCI DSS Requirement 2.2.2 stipulates that vendor-supplied default accounts are managed by either changing the default password (if the account will be used) or removing or disabling the account (if the account will not be used).
For testing and reporting on built-in or default accounts in routers, firewalls, operating systems, web servers, database servers, applications, point-of-sale (POS) systems, or other components, the ASV scan solution must be able to:
DNS Servers DNS servers are used to locate resources on the Internet by resolving domain names to their respective IP address. Merchants or service providers may use their own DNS server or may use a DNS service provided by their ISP. If DNS servers are vulnerable, malicious individuals can masquerade as
•or redirect traffic from
•a merchant’s or service …
Note: PCI DSS Requirement 2.2.2 stipulates that vendor-supplied default accounts are managed by either changing the default password (if the account will be used) or removing or disabling the account (if the account will not be used).
For testing and reporting on built-in or default accounts in routers, firewalls, operating systems, web servers, database servers, applications, point-of-sale (POS) systems, or other components, the ASV scan solution must be able to:
DNS Servers DNS servers are used to locate resources on the Internet by resolving domain names to their respective IP address. Merchants or service providers may use their own DNS server or may use a DNS service provided by their ISP. If DNS servers are vulnerable, malicious individuals can masquerade as
•or redirect traffic from
•a merchant’s or service …
Added
p. 53
Remote Access Special Note to Scan Customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your ASV if you have questions about this Special Note.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 3.2 Revision 1
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 4.0 Revision 1
Modified
p. 4
The requirements in this document apply specifically to the quarterly EXTERNAL vulnerability scans required by PCI DSS Requirement 11.2.2. PCI SSC recommends, but does not require, that scan customers use this document for other vulnerability scanning required by PCI DSS Requirement 11.2, including internal vulnerability scanning, scanning performed after a significant change to the network or applications, and any scanning performed in addition to the required quarterly external scans/rescans.
The requirements in this document apply specifically to the EXTERNAL vulnerability scans required to be performed by a PCI SSC ASV by PCI DSS Requirement 11.3.2. PCI SSC recommends, but does not require, that scan customers use this document for other vulnerability scanning required by PCI DSS Requirement 11.3.1 and 11.3.2, including internal vulnerability scanning, internal and external scanning performed after any significant change, and any scanning performed in addition to the required external scans/rescans performed at least once every …
Modified
p. 4
PCI DSS Requirement 11.2.2 requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) approved by PCI SSC. PCI DSS provides the foundation for this and all other PCI DSS- related requirements and procedures.
PCI DSS Requirement 11.3.2 requires external vulnerability scans be performed at least once every three months by an Approved Scanning Vendor (ASV) approved by PCI SSC. PCI DSS provides the foundation for this and all other PCI DSS-related requirements and procedures.
Modified
p. 4
Payment Card Industry (PCI) Qualification Requirements for Approved Scanning Vendors (ASV)
Modified
p. 4
Note: PCI DSS provides the specific technical requirements and assessment procedures used by merchants and service providers to validate PCI DSS compliance and document the assessment. PCI DSS Requirement 11.2.2 specifically requires quarterly external vulnerability scans that must be performed by an ASV. The ASV Qualification Requirements define the requirements that must be met by an ASV in order to perform PCI DSS quarterly external vulnerability scans for ASV Program purposes.
Note: PCI DSS provides the specific technical requirements and assessment procedures used by merchants and service providers to validate PCI DSS compliance and document the assessment. PCI DSS Requirement 11.3.2 specifically requires performance of external vulnerability scans at least once every three months by a PCI SSC ASV. The ASV Qualification Requirements define the requirements that must be met by an ASV in order to perform PCI DSS external vulnerability scans for ASV Program purposes.
Modified
p. 4
PCI SSC reserves the right to change, amend, or withdraw PCI DSS and/or ASV Requirements at any time, and works closely with its community of Participating Organizations regarding such changes.
PCI SSC reserves the right to change, amend, or withdraw the PCI DSS and/or ASV Requirements at any time, and works closely with its community of Participating Organizations regarding such changes.
Modified
p. 5
PCI DSS Requirement 11.2.2 requires that external vulnerability scanning be performed at least quarterly by an ASV qualified by PCI SSC. The ASV Program Guide sets forth a standard set of:
PCI DSS Requirement 11.3.2 requires that external vulnerability scanning be performed at least once every three months by an ASV qualified by PCI SSC. The ASV Program Guide sets forth a standard set of:
Removed
p. 6
CDE Acronym for "cardholder data environment.” The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
Modified
p. 6
Term Meaning ASV Acronym for "Approved Scanning Vendor." Refers to a company qualified by PCI SSC for ASV Program purposes to conduct external vulnerability scanning services in accordance with PCI DSS Requirement 11.2.2.
Term Meaning ASV Acronym for "Approved Scanning Vendor." Refers to a company qualified by PCI SSC for ASV Program purposes to conduct external vulnerability scanning services in accordance with PCI DSS Requirement 11.3.2.
Modified
p. 6
ASV scan (or ASV scanning) The external vulnerability scanning services performed by an ASV using an ASV scan solution to validate the compliance of a scan customer with PCI DSS Requirement 11.2.2 for ASV Program purposes.
ASV scan (or ASV scanning) The external vulnerability scanning services performed by an ASV using an ASV scan solution to validate the compliance of a scan customer with PCI DSS Requirement 11.3.2 for ASV Program purposes.
Modified
p. 6
ASV scan solution (or scan solution) A set of security services, tool and processes offered by an ASV to validate the compliance of a scan customer in accordance with PCI DSS Requirement 11.2.2 and that at the time of such validation appears on the list of Approved Scanning Vendors on the Website. ASV scan solutions include the tools, methods, procedures, associated scan reports, processes for exchanging information between the ASV and the scan customer, and the processes used by ASV …
ASV scan solution (or scan solution) A set of security services, tool and processes offered by an ASV to validate the compliance of a scan customer in accordance with PCI DSS Requirement 11.3.2 and that at the time of such validation appears on the list of Approved Scanning Vendors on the Website. ASV scan solutions include the tools, methods, procedures, associated scan reports, processes for exchanging information between the ASV and the scan customer, and the processes used by ASV …
Modified
p. 7
PCI DSS Acronym for “Payment Card Industry Data Security Standard.” Refers to the then-current version of (or successor documents to) the Payment Card Industry (PCI) Data Security Standard and Security Assessment Procedures, as from time to time amended and made available on the Website.
PCI DSS Acronym for “Payment Card Industry Data Security Standard.” Refers to the then-current version of (or successor documents to) the Payment Card Industry Data Security Standard Requirements and Testing Procedures, as from time to time amended and made available on the Website.
Modified
p. 7
QSA Acronym for “Qualified Security Assessor.” QSAs are companies qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the Payment Card Industry (PCI) Qualification Requirements for Qualified Security Assessors (QSA) for details about requirements for “QSA Companies” and “QSA Employees.” Scan customer A merchant or service provider that is required to undergo a quarterly external vulnerability scan via an ASV for ASV Program purposes.
QSA Acronym for “Qualified Security Assessor.” QSAs are companies qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the Payment Card Industry (PCI) Qualification Requirements for Qualified Security Assessors (QSA) for details about requirements for “QSA Companies” and “QSA Employees.” Scan customer A merchant or service provider that is required to undergo an external vulnerability scan at least once every three months via an ASV for ASV Program purposes.
Modified
p. 8
• ASVs, QSAs, and PCI SSC
•participate more directly in PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
•participate more directly in PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
• ASVs, QSAs, and PCI SSC
•participate more directly in the PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
•participate more directly in the PCI DSS assessment process. Stakeholders that are not directly involved with the assessment process should nonetheless be aware of the overall process to facilitate associated business decisions.
Modified
p. 8
The following describes the high-level roles and responsibilities of the stakeholders in the payment community as they relate to PCI DSS and ASV Program.
The following describes the high-level roles and responsibilities of the stakeholders in the payment community as they relate to PCI DSS and the ASV Program.
Modified
p. 8
Maintains the ASV Program Guide and ASV Qualification Requirements (including the ASV Agreement) Provides training for ASV Companies and ASV Employees Evaluates ASV Company and ASV Employee qualifications to perform external vulnerability scans in accordance with PCI DSS and ASV Program requirements Maintains the List of Approved Scanning Vendors on the Website Maintains a quality assurance program for ASVs 4.3 Approved Scanning Vendors An ASV is an organization with an ASV scan solution (i.e., a …
Maintains the ASV Program Guide and ASV Qualification Requirements (including the ASV Agreement) Provides training for ASV Companies and ASV Employees Evaluates ASV Company and ASV Employee qualifications to perform external vulnerability scans in accordance with PCI DSS and ASV Program requirements Maintains the List of Approved Scanning Vendors on the Website Maintains a quality assurance program for ASVs 4.3 Approved Scanning Vendors An ASV is an organization with an ASV scan solution (i.e., a …
Modified
p. 8
Performing external vulnerability scans in accordance with PCI DSS Requirement 11.2.2, this document and other supplemental guidance published by PCI SSC.
Performing external vulnerability scans in accordance with PCI DSS Requirement 11.3.2, this document and other supplemental guidance published by PCI SSC.
Modified
p. 9
Performing PCI DSS Assessments in accordance with PCI DSS, which includes confirming that PCI DSS Requirement 11.2.2 is “in place” and that the ASV and ASV scan solution were both on the list of Approved Scanning Vendors on the date when the respective scans were performed.
Performing PCI DSS Assessments in accordance with PCI DSS, which includes confirming that PCI DSS Requirement 11.3.2 is “in place” and that the ASV and ASV scan solution were both on the list of Approved Scanning Vendors on the date when the respective scans were performed.
Modified
p. 10
Maintaining compliance with PCI DSS at all times, which includes properly maintaining the security of their Internet-facing systems.
Maintaining compliance with the PCI DSS at all times, as applicable, which includes properly maintaining the security of their Internet-facing systems.
Modified
p. 10
Selecting an ASV from the list of Approved Scanning Vendors from the Website to conduct quarterly external vulnerability scanning in accordance with PCI DSS Requirement 11.2.2 and this document using an ASV scan solution.
Selecting an ASV from the list of Approved Scanning Vendors from the Website to conduct external vulnerability scanning in accordance with PCI DSS Requirement 11.3.2 and this document using an ASV scan solution.
Modified
p. 11
Arranging with the ASV to re-scan any non-compliant systems to verify that all “High” and “Medium” severity vulnerabilities have been resolved, to obtain a passing quarterly scan. See Table 2 of Section 6, “Vulnerability Severity Levels Based on the NVD and CVSS.” Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
Arranging with the ASV to re-scan any non-compliant systems to verify that all “High” and “Medium” severity vulnerabilities have been resolved, to obtain a passing scan at least once every three months. See Table 2 of Section 6, “Vulnerability Severity Levels Based on the NVD and CVSS.” Submitting the completed ASV scan report to the scan customer’s acquirer(s) and/or Participating Payment Brand(s), as directed by the Participating Payment Brands.
Modified
p. 12
PCI DSS external vulnerability scans may apply to any merchant or service provider with external/ Internet-facing components. Even if an entity does not offer Internet-based transactions, other services may make systems Internet accessible. Basic functions such as email and user Internet access will result in the Internet-accessibility of a company’s network. Such seemingly insignificant paths to and from the Internet can provide unprotected pathways into scan customer systems and potentially expose cardholder data if not properly controlled.
PCI DSS external vulnerability scans may apply to any merchant or service provider with external/ Internet-facing components. Even if an entity does not offer Internet-based transactions, other services may make systems Internet accessible. Basic functions such as email and user Internet access will result in the Internet-accessibility of a company’s network. Such seemingly insignificant paths to and from the Internet can provide unprotected pathways into scan customer systems and potentially expose account data if not properly controlled.
Modified
p. 12
Note: To be considered compliant with the external vulnerability scanning requirement of PCI DSS Requirement 11.2.2, the scan customer infrastructure must be tested and shown to be compliant, in accordance with this document and applicable ASV Program requirements. Compliance with this external vulnerability scanning requirement only represents compliance with PCI DSS Requirement 11.2.2, and does not represent or indicate compliance with any other PCI DSS requirement.
Note: To be considered compliant with the external vulnerability scanning requirement of PCI DSS Requirement 11.3.2, the scan customer infrastructure must be tested and shown to be compliant, in accordance with this document and applicable ASV Program requirements. Compliance with this external vulnerability scanning requirement only represents compliance with PCI DSS Requirement 11.3.2, and does not represent or indicate compliance with any other PCI DSS requirement.
Removed
p. 13
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.
Removed
p. 13
11.2.1.b Review the scan reports and verify that all “high risk” vulnerabilities are addressed and the scan process includes rescans to verify that the “high risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved.
11.2.1.c Interview personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.2.1.c Interview personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Modified
p. 13
PCI DSS Requirements Testing Procedures 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
PCI DSS Requirements Testing Procedures 11.3.2 External vulnerability scans are performed as follows:
Modified
p. 13
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred..
Note: Multiple scan reports can be combined to show that all systems were scanned and all applicable vulnerabilities have been resolved as part of the three- month vulnerability scan cycle. Additional documentation may be required to verify non- remediated vulnerabilities are in the process of being resolved. For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies 1) the most recent scan result was a passing scan, 2) …
Modified
p. 13
11.3.2.a Examine ASV scan reports from the last 12 months to verify that external vulnerability scans occurred at least once every three months in the most recent 12-month period.
Removed
p. 14
PCI DSS Requirements Testing Procedures 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
11.2.2.b Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures).
Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
11.2.2.b Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures).
Removed
p. 14
11.2.3.a Inspect and correlate change control documentation and scan reports to verify that system components subject to any significant change were scanned.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Modified
p. 14 → 13
11.3.2.c Examine the ASV scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor (ASV).
Modified
p. 15 → 14
The specific version(s) of the ASV’s full ASV scan solution(s), as tested, approved, and listed in accordance with the ASV Program as part of PCI SSC’s scanning vendor testing and approval process, is the ONLY version of the scan solution that the ASV is approved to use to perform external vulnerability scans in accordance with PCI DSS Requirement 11.2.2 for ASV Program purposes. While significant modifications to the tested and approved ASV scan solution (without undergoing another ASV Validation Lab …
The specific version(s) of the ASV’s full ASV scan solution(s), as tested, approved, and listed in accordance with the ASV Program as part of PCI SSC’s scanning vendor testing and approval process, is the ONLY version of the scan solution that the ASV is approved to use to perform external vulnerability scans in accordance with PCI DSS Requirement 11.3.2 for ASV Program purposes. While significant modifications to the tested and approved ASV scan solution (without undergoing another ASV Validation Lab …
Removed
p. 16
Note: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.“System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following:
• Systems that provide security services (for example, authentication servers) facilitate segmentation (for example, internal firewalls) or may impact the security of (for example, name-resolution or web-redirection servers) the CDE.
Any other component or device located within or connected to the CDE.
• Systems that provide security services (for example, authentication servers) facilitate segmentation (for example, internal firewalls) or may impact the security of (for example, name-resolution or web-redirection servers) the CDE.
Any other component or device located within or connected to the CDE.
Modified
p. 16
• Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
• Network components, including but not limited to network security controls, switches, routers, VoIP network devices, wireless access points, network appliances, and other security appliances.
Modified
p. 16
• Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
• Applications, software, and software components, serverless applications, including all purchased, subscribed (for example, Software-as-a-Service), custom, and in-house built applications, including internal and external (for example, Internet) applications.
Removed
p. 17
In general, the following segmentation methods may be used to reduce the scope of the ASV scan:
Provide physical segmentation between the system components that store, process, or transmit cardholder data and systems that do not.
Employ appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments.
Provide physical segmentation between the system components that store, process, or transmit cardholder data and systems that do not.
Employ appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments.
Modified
p. 17
Scan customers must coordinate with their ISPs to allow the ASV scan to be performed without interference from active protection systems. For more details, see Section 5.6, “ASV Scan Interference.” In a shared hosting environment, the scan customer shares the environment with the hosting provider’s other customers. This could lead to the scan customer’s environment being compromised through security weaknesses in other customers’ environments at the hosting provider.
Scan customers must coordinate with their ISPs to allow the ASV scan to be performed without interference from active protection systems. For more details, see Section 5.6, “ASV Scan Interference.” In a shared hosting and multi-tenant environments, the scan customer shares the environment with the hosting or multi-tenant service provider’s other customers. This could lead to the scan customer’s environment being compromised through security weaknesses in other customers’ environments at the hosting provider or multi-tenant service provider.
Modified
p. 17
There are two options for ASV scanning of hosting providers that host scan customer infrastructures or components:
There are two options for ASV scanning of hosting providers / multi-tenant service providers that host scan customer infrastructures or components:
Modified
p. 17
1. The hosting provider can undergo ASV scans on its own and provide evidence to its customers to demonstrate their compliant scans; or
1. The provider can undergo ASV scans on its own and provide evidence to its customers to demonstrate their compliant scans; or
Modified
p. 17
2. The hosting provider can undergo ASV scans as part of each of its customers’ ASV scans. In either case, it is the responsibility of the scan customer to ensure that their hosted environment receives a passing score from an ASV scan.
2. The provider can undergo ASV scans as part of each of its customers’ ASV scans. In either case, it is the responsibility of the scan customer to ensure that their hosted / multi- tenant environment receives a passing score from an ASV scan.
Modified
p. 17
Note: If the hosting provider has all Internet-facing IP ranges AND all scan customers’ domains, etc. scanned as part of the hosting provider’s own ASV scans, and provides proof of passing scans to scan customers, the domains do not have to be included in the scan customers’ ASV scans.
Note: If the provider has all Internet-facing IP ranges AND all scan customers’ domains, etc. scanned as part of the provider’s own ASV scans, and provides proof of passing scans to scan customers, the domains do not have to be included in the scan customers’ ASV scans.
Modified
p. 19
Firewalls that are configured to always block certain ports, but always keep other ports open.
Network security controls that are configured to always block certain ports, but always keep other ports open.
Modified
p. 20
The changes in this section are considered temporary and are only required for the duration of the ASV scan, and only apply to external-facing components in scope for quarterly external vulnerability scans required by PCI DSS Requirement 11.2.2. Scan customers are encouraged to work with the ASV to perform secure quarterly scans that do not unnecessarily expose the scan customer’s network
•but also do not limit the final results of the ASV scans
•as follows:
•but also do not limit the final results of the ASV scans
•as follows:
The changes in this section are considered temporary and are only required for the duration of the ASV scan, and only apply to external-facing components in scope for external vulnerability scans required by PCI DSS Requirement 11.3.2. Scan customers are encouraged to work with the ASV to perform secure scans at least once every three months that do not unnecessarily expose the scan customer’s network
•but also do not limit the final results of the ASV scans
•as follows:
•but also do not limit the final results of the ASV scans
•as follows:
Modified
p. 22
Have Platform Independence Customer platforms are diverse and each platform has strengths and weaknesses. The ASV scan solution must cover all commonly used platforms.
Have Platform Independence Customer platforms are diverse, and each platform has strengths and weaknesses. The ASV scan solution must cover all commonly used platforms.
Modified
p. 22
If the scan customer is unable to validate a synchronized environment behind their load balancers, the ASV must disclose the inconsistency with the following Special Note to Scan Customer1 on the scan report:
If the scan customer is unable to validate a synchronized environment behind their load balancers, the ASV must disclose the inconsistency with the following Special Note to Scan Customer 1 on the scan report:
Removed
p. 23
Firewalls and Routers Firewalls and routers, which control traffic between the company’s network and external untrusted networks (for example, the Internet), have known vulnerabilities for which patches are periodically released.
Modified
p. 23
Table 1: Required Components for PCI DSS Vulnerability Scanning Following is a non-exhaustive list of services, devices, and operating systems that must be tested.
Table 1: Components for PCI DSS Vulnerability Scanning Following is a non-exhaustive list of services, devices, and operating systems that must be tested.
Modified
p. 23
Scan Component For Scan Customers: Why must it be scanned? For ASVs: ASV scan solution must:
Scan Component For Scan Customers: Why must it be scanned? For ASVs:
Modified
p. 23 → 26
Another common problem with firewalls and routers is inadequate configuration.
Another common problem with NSCs is inadequate configuration.
Modified
p. 23 → 26
To ensure firewalls and routers are protected against these vulnerabilities and are able to protect the network effectively, it is important to apply the patches as soon as possible.
To ensure NSCs are protected against these vulnerabilities and are able to protect the network effectively, it is important to apply the patches as soon as possible.
Modified
p. 23 → 26
The ASV must scan all network devices such as firewalls and external routers. If a firewall or router is used to establish a demilitarized zone (DMZ), these devices must be included.
The ASV must scan all NSCs such as firewalls and external routers. If an NSC is used to establish a demilitarized zone (DMZ), these devices must be included.
Modified
p. 23 → 26
The ASV scan solution must test for known vulnerabilities and determine whether the firewall or router is adequately patched.
The ASV scan solution must test for known vulnerabilities and determine whether the NSC is adequately patched.
Modified
p. 23 → 26
Malicious individuals exploit OS vulnerabilities to gain access to applications and internal databases that potentially store, process or manage access to cardholder data.
Malicious individuals exploit OS vulnerabilities to gain access to applications and internal databases that potentially store, process or manage access to account data.
Modified
p. 23 → 29
Database Servers Database servers store and manage access to cardholder data.
System Components that Store Cardholder Data (such as Database Servers) System components that store cardholder data (such as database servers) store and manage access to cardholder data.
Modified
p. 23 → 29
If these components are directly accessible from untrusted networks, malicious individuals can exploit vulnerabilities in these servers to gain access to cardholder data.
Modified
p. 23 → 29
The ASV scan solution must be able to detect open access to databases from the Internet. This configuration is a violation of PCI DSS Requirement 1.3.6, and must be marked as an automatic failure by the ASV. The ASV scan solution must also be able to detect and report on known database exploits and vulnerabilities.
The ASV scan solution must be able to detect open access to system components storing cardholder data (such as databases) from the Internet. This configuration is a violation of PCI DSS Requirement 1.4.4 and must be marked as an automatic failure by the ASV. The ASV scan solution must also be able to detect and report on known database exploits and vulnerabilities.
Removed
p. 24
Malicious individuals exploit vulnerabilities in these servers and their scripts to gain access to applications and internal databases that potentially store, process or manage access to cardholder data.
Permitting directory browsing on a web server increases security risk; for example, it may expose file system contents or provide unintended access to sensitive data.
Because these servers are accessible from the public Internet, scanning for vulnerabilities is essential.
The ASV scan solution must be able to test for all known vulnerabilities and configuration issues on web servers.
The ASV scan solution must also be able to scan the website and verify that directory browsing is not possible on the server.
Positive identification of directory browsing must be reported and disclosed with the following Special Note:
Malicious individuals exploit vulnerabilities in these servers and scripts to gain access to applications or internal databases that potentially store, process or manage access to cardholder data.
Permitting directory browsing on a web server increases security risk; for example, it may expose file system contents or provide unintended access to sensitive data.
Because these servers are accessible from the public Internet, scanning for vulnerabilities is essential.
The ASV scan solution must be able to test for all known vulnerabilities and configuration issues on web servers.
The ASV scan solution must also be able to scan the website and verify that directory browsing is not possible on the server.
Positive identification of directory browsing must be reported and disclosed with the following Special Note:
Malicious individuals exploit vulnerabilities in these servers and scripts to gain access to applications or internal databases that potentially store, process or manage access to cardholder data.
Modified
p. 24 → 30
Special Note to Scan Customer: Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Special Note to Scan Customer: Unidentified services have been detected. Due to increased risk to the cardholder data environment, identify the service, then either 1) justify the business need for this service and confirm it is securely implemented, or 2) identify the service and confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
Removed
p. 25
Built-in Accounts Built-in, or default accounts and passwords, are commonly used by hardware and software vendors to allow the customer initial access to the product.
Note: PCI DSS Requirement 2.1 stipulates that vendor-supplied defaults, including vendor accounts and passwords, are changed and disabled or removed before installing a system on a network.
For testing and reporting on built-in or default accounts in routers, firewalls, operating systems, web servers, database servers, applications, point-of-sale (POS) systems, or other components, the ASV scan solution must do the following:
DNS Servers DNS servers are used to locate resources on the Internet by resolving domain names to their respective IP address. Merchants or service providers may use their own DNS server or may use a DNS service provided by their ISP. If DNS servers are vulnerable, malicious individuals can masquerade as
•or redirect traffic from
•a merchant’s or service provider’s web page and collect cardholder data.
Note: PCI DSS Requirement 2.1 stipulates that vendor-supplied defaults, including vendor accounts and passwords, are changed and disabled or removed before installing a system on a network.
For testing and reporting on built-in or default accounts in routers, firewalls, operating systems, web servers, database servers, applications, point-of-sale (POS) systems, or other components, the ASV scan solution must do the following:
DNS Servers DNS servers are used to locate resources on the Internet by resolving domain names to their respective IP address. Merchants or service providers may use their own DNS server or may use a DNS service provided by their ISP. If DNS servers are vulnerable, malicious individuals can masquerade as
•or redirect traffic from
•a merchant’s or service provider’s web page and collect cardholder data.
Modified
p. 25 → 30
Virtualization components Virtualization components may include virtual hosts, virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Just like physical system components, an internet-facing virtualized component that connects (or provides a path) to the cardholder data environment is a potential target of attack and is therefore subject to scanning under PCI DSS Requirement 11.2.2.
Virtualization components Virtualization components may include virtual hosts, virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Just like physical system components, an internet-facing virtualized component that connects (or provides a path) to the cardholder data environment is a potential target of attack and is therefore subject to scanning under PCI DSS Requirement 11.3.2.
Removed
p. 26
Merchants should also work with their acquiring banks or the payment brands to determine whether authenticated vulnerability scans should be performed as part of their vulnerability management program.
Other Applications Other applications, such as those for streaming media, RSS feeds, proxy servers, media content, etc. may be exploited by malicious individuals to gain access to cardholder data that may be processed or accessed by these applications.
Other Applications Other applications, such as those for streaming media, RSS feeds, proxy servers, media content, etc. may be exploited by malicious individuals to gain access to cardholder data that may be processed or accessed by these applications.
Modified
p. 26 → 31
Web Applications Web applications typically reside on web or application servers and interface with the back-end databases and other systems. Web applications may process or transmit cardholder data as part of the customer’s online transaction, or store such data in a database server.
Web Applications Web applications typically reside on web or application servers and interface with the back-end databases and other systems. Web applications may process or transmit account data as part of the customer’s online transaction, or store such data in a database server.
Modified
p. 26 → 31
Malicious individuals exploit web application vulnerabilities to gain access to applications or internal databases that may process, store, or manage access to cardholder data. See OWASP Top 10 Project2 for additional information on current web application vulnerabilities.
Malicious individuals exploit web application vulnerabilities to gain access to applications or internal databases that may process, store, or manage access to account data. See OWASP Top 10 Project2 for additional information on current web application vulnerabilities.
Modified
p. 26 → 31
While only unauthenticated web application testing is required, authenticated testing is more thorough since user interaction and functionality (such as conducting payment transactions) can be more accurately simulated. Some authenticated scan tests may simulate attacks that could cause account lockouts or other negative impact to the systems or applications being tested, so it is important for scan customers to work with their ASVs to determine whether authenticated web application scan testing is right for their particular environment, the type and …
While only unauthenticated web application scan testing is required, authenticated scan testing is more thorough since user interaction and functionality (such as conducting payment transactions) can be more accurately simulated. Some authenticated scan tests may simulate attacks that could cause account lockouts or other negative impact to the systems or applications being tested, so it is important for scan customers to work with their ASVs to determine whether authenticated web application scan testing is right for their particular environment, the …
Modified
p. 26 → 31
Note: ASV scan solutions must be capable of detecting vulnerabilities in custom web applications. While performing authenticated web application testing is not required, certain web application vulnerabilities exist which may only be identified by means of authenticated testing, which (in addition to the required unauthenticated web application scans) may help the ASV provide a more comprehensive scan report. ASVs should work with scan customers to determine whether authenticated scans are appropriate for the particular environment.
Note: ASV scan solutions must be capable of detecting vulnerabilities in custom web applications. While performing authenticated web application scan testing is not required, certain web application vulnerabilities exist which may only be identified by means of authenticated scan testing, which (in addition to the required unauthenticated web application scans) may help the ASV provide a more comprehensive scan report. ASVs should work with scan customers to determine whether authenticated scans are appropriate for the particular environment.
Removed
p. 27
The ASV scan solution must detect and report all known, remotely-detectable backdoor applications. The presence of any such malware, including rootkits, backdoors, and Trojan horse programs must be marked as an automatic failure by the ASV.
Per PCI DSS, strong cryptography and security protocols must be deployed•see PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms (available on the Website) for additional details on “Strong Cryptography.” Also refer to industry best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 rev 1 and SP 800-57, OWASP, etc.)
The ASV scan solution must detect the following and report any PCI DSS compliance- affecting vulnerabilities: Tthe presence and versions of cryptographic protocols on a component or service The encryption algorithms and encryption key strengths used in all cryptographic protocols for each component or service The signature-signing algorithms used for all server certificates Certificate validity, authenticity …
Per PCI DSS, strong cryptography and security protocols must be deployed•see PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms (available on the Website) for additional details on “Strong Cryptography.” Also refer to industry best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 rev 1 and SP 800-57, OWASP, etc.)
The ASV scan solution must detect the following and report any PCI DSS compliance- affecting vulnerabilities: Tthe presence and versions of cryptographic protocols on a component or service The encryption algorithms and encryption key strengths used in all cryptographic protocols for each component or service The signature-signing algorithms used for all server certificates Certificate validity, authenticity …
Removed
p. 30
Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
If the ASV scan solution detects insecure services or industry-deprecated protocols, the following must be included in the Special Notes section of the scan report:
Special Note to Scan Customer: Insecure services and industry- deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
If the ASV scan solution detects a service that cannot be identified, the following note must be included in the Special Notes section of the scan report:
If the ASV scan solution detects insecure services or industry-deprecated protocols, the following must be included in the Special Notes section of the scan report:
Special Note to Scan Customer: Insecure services and industry- deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note.
If the ASV scan solution detects a service that cannot be identified, the following note must be included in the Special Notes section of the scan report:
Removed
p. 32
• If the NVD entry for a specific CVE identifier includes a CVSSv3.1 score, the ASV must include the published CVSSv3.1 score in the report.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
• If the NVD entry for the CVE identifier does not include a CVSSv3.1 score, the ASV must include the published CVSSv3.0 score in the report.
• If the NVD entry for the CVE identifier does not include either a CVSSv3.1 or CVSSv3.0 score, then the ASV must include the published CVSSv2.0 score in the report.
Modified
p. 32 → 33
1. The Common Vulnerability Scoring System (CVSS) provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10.
1. The Common Vulnerability Scoring System (CVSS) version 2.0, which provides a common framework for communicating the characteristics and impact of IT vulnerabilities. The CVSS scoring algorithm utilizes a Base Metric Group, which describes both the complexity and impact of a vulnerability to produce a Base Score, which ranges between 0 and 10. The CVSS Base Score must, where available, be used by ASVs in computing PCI DSS compliance scoring.
Modified
p. 32 → 33
2. The National Vulnerability Database (NVD) is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability.
2. The National Vulnerability Database (NVD), which is maintained by the National Institute of Standards and Technology (NIST). The NVD contains details of known vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) dictionary. The NVD has adopted the CVSS and publishes CVSS Base Scores for each vulnerability. ASVs should use the CVSS scores whenever they are available.
Modified
p. 32 → 33
The use of the CVSS and CVE standards in conjunction with the NVD is intended to provide consistency across ASVs.
Modified
p. 34 → 35
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Note: When re-ranking a vulnerability’s risk assignment, ASVs are encouraged to utilize industry- recognized resources (such as the CVSS v3.0 Calculator), rather than arbitrarily or subjectively assigning numbers to vulnerabilities.
Modified
p. 37 → 38
Note: If multiple, failed scans are aggregated to represent one overall passing scan*, an additional Attestation of Scan Compliance cover sheet with a Scan Status of “Pass” may be included by the ASV as a “cover sheet” to represent all partial/failed scans (and each accompanying partial/failed scan’s respective Attestation of Scan Compliance cover sheets) for that quarterly period. This would be acceptable as long as each report includes 1) all failing vulnerabilities that have been fixed, rescanned, and validated as …
Note: If multiple, failed scans are aggregated to represent one overall passing scan*, an additional Attestation of Scan Compliance cover sheet with a Scan Status of “Pass” may be included by the ASV as a “cover sheet” to represent all partial/failed scans (and each accompanying partial/failed scan’s respective Attestation of Scan Compliance cover sheets) for that scan period. This would be acceptable as long as each report includes 1) all failing vulnerabilities that have been fixed, rescanned, and validated as …
Modified
p. 37 → 38
* An example of aggregation would be instead of having a single, environment-wide scan report, the entity may verify it has met the scanning requirements through a collection of scan results, which together show that all required scans are being performed and that all applicable vulnerabilities are being identified and addressed on a quarterly basis•see FAQ 1152 on the Website for additional information.
* An example of aggregation would be instead of having a single, environment-wide scan report, the entity may verify it has met the scanning requirements through a collection of scan results, which together show that all required scans are being performed and that all applicable vulnerabilities are being identified and resolved at least once every three months•see FAQ 1152 on the Website for additional information.
Modified
p. 38 → 39
Acknowledgement that ASV scan results only indicate whether scanned systems are compliant with the external quarterly vulnerability scan requirement (PCI DSS 11.2.2) and are not an indication of overall compliance with any other PCI DSS requirements.
Acknowledgement that ASV scan results only indicate whether scanned systems are compliant with the external vulnerability scan requirement (PCI DSS 11.3.2) and are not an indication of overall compliance with any other PCI DSS requirements.
Modified
p. 38 → 39
• Scan customers only submit passing scan reports (which may be comprised of multiple failed scans to demonstrate all vulnerabilities reported in the initial scan for that quarterly period were addressed).
• Scan customers only submit passing scan reports (which may be comprised of multiple failed scans to demonstrate all vulnerabilities reported in the initial scan for that scan period were addressed).
Modified
p. 39 → 40
3. Scan customer and ASV agree on a method that allows the ASV scan solution to complete a scan of all in-scope components without interference. This method must be operated and managed by the ASV in accordance with all ASV Program requirements. For example, a secure connection (such as an IPsec VPN tunnel) could be implemented between the ASV and scan customer, or the lab-validated ASV scan solution3 (such as an appliance or agent) could be installed at the scan …
3. Scan customer and ASV agree on a method that allows the ASV scan solution to complete a scan of all in-scope components without interference. This method must be operated and managed by the ASV in accordance with all ASV Program requirements. For example, a secure connection (such as an IPsec VPN tunnel) could be implemented between the ASV and scan customer, or the lab-validated ASV scan solution 3 (such as an appliance or agent) could be installed at the …
Modified
p. 40 → 41
The ASV must have a written procedure in place for handling disputes, and the scan customer must be clearly informed on how to report a dispute to the ASV, including how to appeal the findings of the dispute investigation with the ASV. The ASV must explicitly inform the scan customer that disputes in scan results are NOT to be submitted to PCI SSC.
The ASV must have a written procedure in place for handling disputes, and the scan customer must be clearly informed on how to report a dispute to the ASV, including how to appeal the findings of the dispute investigation with the ASV. The ASV must explicitly inform the scan customer that disputes in scan results are NOT to be submitted to the PCI SSC.
Modified
p. 41 → 42
Not carry dispute findings forward from one quarterly scan to the next by the ASV. Dispute evidence must be verified and resubmitted by the scan customer, and evaluated again by the ASV, for each quarterly scan.
Not carry dispute findings forward from one scan period to the next by the ASV. Dispute evidence must be verified and resubmitted by the scan customer, and evaluated again by the ASV, for each scan period.
Modified
p. 43 → 44
Removing components or applications from scope that may impact cardholder data.
Removing components or applications from scope that may impact account data.
Modified
p. 43 → 44
Independent forensic investigations performed by reputable, qualified experts conclusively demonstrating that cardholder data was compromised, the breach occurred on systems or by system components evaluated by the ASV, and the breach occurred as a direct result of the ASV’s failure to properly scan or report the systems or system components.
Independent forensic investigations performed by reputable, qualified experts conclusively demonstrating that account data was compromised, the breach occurred on systems or by system components evaluated by the ASV, and the breach occurred as a direct result of the ASV’s failure to properly scan or report the systems or system components.
Modified
p. 44 → 45
Figure 1: Overview of ASV Scan Processes 1 Scan customers are ultimately responsible for defining the scan scope, though they may seek expertise from QSAs and guidance from ASVs. If an account data compromise occurs via a component not included in the scan, the scan customer is accountable. 2 To reduce the scope of the scan, network segmentation must be in place to isolate system components that store, process, or transmit cardholder data from systems that do not. ASV still …
Figure 1: Overview of ASV Scan Processes 1 Scan customers are ultimately responsible for defining the scan scope, though they may seek expertise from QSAs and guidance from ASVs. If an account data compromise occurs via a component not included in the scan, the scan customer is accountable. 2 To reduce the scope of the scan, network segmentation must be in place to isolate system components that store, process, or transmit account data from systems that do not. ASV still …
Modified
p. 45 → 46
Compliance status: Pass Fail Scan report type: Full scan Partial scan or rescan Number of unique in-scope components4 scanned:
Compliance status: Pass Fail Scan report type: Full scan Partial scan or rescan Number of unique in-scope components 4 scanned:
Modified
p. 46 → 47
A.5 ASV Attestation This scan and report was prepared and conducted by (ASV name) under certificate number (insert number), according to internal processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide.
A.5 ASV Attestation This scan and report was prepared and conducted by (ASV name) under certificate number (insert number), according to internal processes that meet PCI DSS Requirement 11.3.2 and the ASV Program Guide.
Modified
p. 46 → 47
(ASV name) attests that PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable), and 4) active scan interference. This report and any exceptions were reviewed by (ASV reviewer name).
(ASV name) attests that the PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable), and 4) active scan interference. This report and any exceptions were reviewed by (ASV reviewer name).
Modified
p. 51 → 52
Part 3b. Special Notes to Scan Customer by Component 4 Component Special Note to Scan Customer 9 Item Noted Per section 7.2 of the ASV Program Guide, scan customer’s description of action taken and declaration that software is either needed for business and implemented securely, or removed w.x.y.116 HTTP directory listing Web Server All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 VPN detected Remote Access Software The VPN service is essential for conducting business and …
Part 3b. Special Notes by Component Component Special Note to Scan Customer 9 Item Noted Scan customer’s description of action taken and declaration that software is either implemented securely or removed w.x.y.116 Web Servers HTTP directory browsing (Web application: port 80/tcp) All HTTP directory listing capabilities have been disabled per vendor support documentation. w.x.y.119 Remote Access VPN detected (OpenVPN: port 500/udp) The VPN service is essential for conducting business and used to connect remote offices. The VPN service is securely …
Modified
p. 52 → 53
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
IP Range: w.x.y.116
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …
• w.x.y.128 Domain: company1.com Domain: company1.net URL: www.company1.com/payment Part 4b. Scan Customer Designated “In-Scope” Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. w.x.y.117, www. company1.com w.x.y.118, www.company1.net w.x.y.119, vpn.company1.com, remote.company1.com w.x.y.120, mail.company1.com Part 4c. Scan Customer Designated “Out-of-Scope” Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL w.x.y.121, artwork.company1.com
• Scan customer attests to implementing segmentation via separate physical layer 2 switch with no connectivity to CDE. w.x.y.122 (not active)
• Scan customer attests that this IP address is …