Open Mobile Menu


Optimize Your Organization’s PCI ASV Scanning Procedures

Views: 610

Written By: Mike Morrison April 12, 2019

Merchants and Service Providers with exposure to the Payment Card Industry (PCI) Data Security Standards (DSS) can ensure compliance and get the most out of their Approved Scanning Vendor (ASV) engagements by optimizing their organization’s ASV processes. The PCI DSS requires that an ASV perform vulnerability scans and attest to clean vulnerability scans at least quarterly for all in-scope externally accessible PCI system components, as well as any externally accessible system components that may provide access to the cardholder data environment (CDE).

In general, the ASV scanning process is a set of phases that include scoping, scanning, reporting, remediation, dispute resolution, rescanning, and final reporting. However, if an organization is just starting the ASV process, or is looking to improve their processes, the first step to the ASV scanning process would be to evaluate the available ASVs that are registered on the PCI Security Standards Council’s (SSC) website.

Choosing an ASV

As of December 2018, there are about 49 US-based ASV companies listed on the PCI SSC website.  To narrow down the choices, Merchants and Service Providers should consider the experience, availability, and response time of ASV technicians. Some ASV companies have processes which mean it can take longer to receive responses, or a tiered support that makes it difficult to get questions to experienced technicians, while others give you direct access to teams of ASV professionals.

Making adjustments to IP addresses or scans during maintenance windows, having professionals available that can research and understand vulnerabilities and false positive requests, and ensuring someone is available when an attestation is due can be big benefits to choosing an ASV company that provides direct access to ASV professionals. On an ongoing basis, it is also important to ensure the ASV company’s registration with the PCI SSC is valid and is renewed annually.


Appropriately scoping your PCI environment for the ASV is critical to achieving and maintaining compliance for external vulnerability scans. In the most recent PCI All Assessor meeting, the PCI SSC highlighted that they have seen many ASV scans that attest to covering all in-scope components, but are actually missing many needed components.

This can happen by improperly segmenting a network, improperly determining the scope of systems that must meet PCI requirements, or by not scanning all system components by not including all fully qualified domain names (FQDNs).

The PCI ASV Program Guide assigns Merchants and Service Providers the responsibilities of providing the ASV company all domain names and IPs, and where applicable implementing appropriate network segmentation. If segmentation is in use, avoid scoping errors by ensuring that the environments are segmented properly with the assistance of penetration tests, which are also required by the PCI DSS. 

If an organization is not sure of their scope, or if the resources to determine scope are not available, assistance should be sought to perform a proper discovery scan and review of the PCI environment to ensure all in-scope components are included in the ASV scans.


When performing scans, it is critical that all security scanning activity is allowed through active protections systems, such as intrusion protection systems to allow the scans to complete accurately and without interference.

All applicable security patches should be applied prior to the scan and the performance of all systems should be monitored throughout the scanning process to reduce the need for rescanning, to further ensure that disruptions are minimized, and ensure the scan results are accurate.

Scan as slowly as possible (when possible) to get the best results out of most scanning tools. Coordination with Internet Service Providers or hosting providers may also be necessary if there is any potential that the scanning will cause disruptions, or if there are any hosted active protection systems that may block or modify scan traffic. 

Reporting, Remediation, and Dispute Resolution

All ASV scans will result in an overall status of pass or fail.  However, organizations have the ability to contest any failing findings that they consider false positives. When submitting false positive evidence to ASVs for approval, be sure to include as much detail as possible about the configuration or compensating control that makes the finding invalid. Once all false positives have been approved and all vulnerabilities have been remediated, a passing report may be generated. If any valid findings are discovered, rescans must occur until all identified vulnerabilities are remediated.

By choosing the right partner for ASV scanning, and reviewing each phase of the ASV process to understand what is required to achieve passing results, organizations can better prepare for their quarterly external scans and reduce the need for rescans and remediation work.  AppSec Consulting is an Approved Scanning Vendor with a team of professional ASV technicians who have advanced security experience that includes PCI compliance and vulnerability management.

Mike Morrison

Mike is a Senior Consultant with over 23 years of experience in Information Technology, including 14 years in Security. Prior to transitioning to Security his experiences included system, storage, and database administration, web application development, software quality assurance, technical support, and technical training. Mike’s certifications over the years include PECB ISO 27001 Lead Implementer, PCI QSA and ASV, various SANS certifications including GSEC and GCFA, and mile2’s Certified Penetration Testing Specialist. For nearly 10 years he served as the primary assessor for PCI environments at a four-campus state University system and hospital, helping hundreds of merchants achieve PCI compliance. He also developed and maintained the University’s vulnerability management program, performed web application, network, and system assessments, and advised hundreds of departments on their security needs. For the last several years Mike has lead or assisted in mission-critical information and physical security projects in the financial, insurance, healthcare, higher education, retail, and manufacturing spaces. Mike has experience with PCI, EU Privacy Shield, GDPR, ISO27k, NIST 800-53, Cybersecurity Framework, HIPAA, FERPA, various physical security regulations, and other state, national, and international requirements for assessing the controls that assure the confidentiality, integrity, and availability of organizational assets.  
Prior to joining AppSec Consulting, Mike delivered security consulting services for manufacturers and suppliers domestically and overseas in China and Taiwan. Mike has a wide breadth of experience in the industry. His experience extends to numerous industry verticals, to include: healthcare, financial, education, retail, software development, manufacturing, telecommunications, web hosting, data center management, state and local government, and credit card services.  
Mike is currently responsible for performing PCI DSS assessments and audits, PCI ASV services, IT risk assessments, privacy assessments, policy and procedure development, and assisting clients with the development of sustainment programs.

read more articles by Mike Morrison