The Thorny Road to Becoming a PCI Approved Scanning Vendor

enableIT is pleased to announce it is a PCI (Payment Card Industry) Approved Scanning Vendor (ASV). Becoming an ASV was an educational process for this organization, as the process is an ever changing one. ASV certification is a fluid and adaptive process; its standards continually being revised to account for the latest security threats. Testing skills that gain an organization PCI certification one month, will likely be outdated the next. For this reason I’ve outlined some recent changes to the ASV certification and application processes, as well as how the certification of our organization benefits our clients.

For some time, in its attempt to secure credit card processing systems, PCI has required quarterly vulnerability scans of environments that store, transmit, or process credit card numbers. Businesses choosing to receive credit card payments must have their networks scanned by a PCI approved scanning vendor on a quarterly basis in order to continue processing credit cards. For the business to remain in compliance, the quarterly scanning process must produce at least one “clean” scan per quarter. A “clean” scan being deemed, once all vulnerabilities scoring a risk of medium or higher during the scanning process have been mitigated. The entire process concludes that a business has reached an acceptable level of risk when medium and high level vulnerabilities are regularly being fixed.

Unfortunately, new threats are continually emerging and the number of breaches of card processing systems continues to escalate. For this reason, the PCI Council has increased the amount of security controls a business must implement to secure credit card data, to its most stringent standards to date. Recently, the Council released version 3.1 of the PCI Data Security Standard (DSS), their security controls outline for businesses that informs the standards for the ASV community. As a result of this release, ASVs must increase their standards accordingly. The intended results of ASVs adapting the standards of DSS 3.1 are better and more complete information provided to businesses during the scanning process, with more explicit information on how to fix identified vulnerabilities. This is a significant advantage for PCI clients in data security and the level of control they have over their own destiny in the PCI realm, as well as for organizations like ours in assisting PCI clients in hardening their PCI systems into compliance.

Notably, the increased security of PCI systems and greater benefits to PCI clients have been accompanied by a significant reduction in the number of companies certified to perform vulnerability scans. Going through the certification process is expensive and new PCI standards are becoming more and more challenging for organizations to meet. These factors have reduced the numbers of players on the field tenfold: Not long ago the PCI Council listed more than a thousand ASVs on their web site, yet today there are just over 100 (https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors).

Throughout the certification process, enableIT leveraged its extensive experience with penetration testing to build a scan solution that includes several of the best tools and reporting engines. Combined with our expertise we are able to use our scan solution to identify vulnerabilities and provide our clients the information they need to mitigate relevant vulnerabilities within their systems. We welcome the fact that the ASV group is getting smaller and the requirements to join are getting tougher, because in order to answer the ever increasing security threats in the industry the bar must continue to be raised. We want our customers to have the best security and raising the standards in the PCI testing realm helps everyone in the credit card industry to better secure credit card data.

Highlights of certification requirements:

  1. An ASV must be able to detect numerous types of vulnerabilities on network devices and Windows and Linux servers. (Although many tools exist today to perform this task, no single scan engine can discover all of the known vulnerabilities on all systems. This is where our custom scan solution comes in.)
  2. The ASV must be able to do in-depth scanning of custom web applications. (Again, no single automatic web application scanner on the market discovers all known vulnerabilities. A custom scan solution is critical.)
  3. A successful scan solution will have to incorporate the results of multiple tools and include manual checks. (Expertise and experience are must haves in this area.)
  4. The ASV must be able to report all the discovered vulnerabilities in a way that gives the customer clear and organized information about the vulnerabilities and how to mitigate them. (A custom reporting process combined with experience and expertise in client relations is essential.)

enableIT is excited about its PCI certification and credits a great working group for outstanding efforts in this regard. We look forward to continuing to provide value added to our customers and to improving PCI security with our contributions in the field.

Fabrice Mouret