The PCI Security Standards Council maintains a structured process for security solution providers to become Approved Scanning Vendors (ASVs), as well as to be re-approved each year. The five founding members of the Council recognize the ASVs certified by the PCI Security Standards Council as being qualified to validate adherence to the PCI DSS by performing vulnerability scans of Internet facing environments of merchants and service providers.
The major requirement of the process is a rigorous remote test conducted by each vendor on the PCI Security Standards Council's test infrastructure, which simulates the network of a typical security scan customer. The Council has set up the test infrastructure in such a way as to deliberately introduce vulnerabilities and misconfigurations for the vendor to identify and report as part of the compliance testing process.
The testing primarily addresses these areas:
When a vendor has successfully passed the testing process, it becomes an ASV and is listed on the PCI Security Standards Council Web site. To ensure ongoing compliance with program requirements, all ASVs are subject to an annual recertification process.
Step 1 - Registration
A prospective ASV must first review the Approved Scanning Vendors (ASVs) Program Guide and then register for the testing process and provide administrative information and technical details by submitting an attestation of compliance adhering to the Qualification Requirements for Approved Scanning Vendors (ASVs) v2.1.
The Council reviews each application for completeness and appropriateness, and then, if the vendor and solution are determined eligible for testing, notifies the vendor that the application is accepted, and sends an invoice for applicable fees. Upon payment, the prospective ASV is given a provisional test date.
Step 2 - Test Preparation
The prospective ASV must return the signed Test Agreement, provide details on its customer scan administration process, and pay the test fees upon receipt of the invoice. Upon receipt of the signed Test Agreement and payment, the Council will confirm the test date and provide necessary details about the test infrastructure, including a link to training materials on the Council's Web site.
Before the scanning test itself, to ensure that the process is as rigorous as a "real-life" scan, a Council representative will test the prospective ASV's ability to ascertain the scope of scanning via a telephone conversation simulating a client engagement. A similar conversation will take place after the test as well.
Step 3 - Testing
For the actual test, each applicant runs its test tool(s) against the Council's test Web perimeter and submits its results. After remotely scanning the test infrastructure, the vendor must identify the vulnerabilities and misconfigurations found, and report its findings in both executive and detailed test reports. The Council's representative will hold a second debriefing conversation with the applicant following the report's submission.
Step 4 - Compliance Assessment
The PCI Security Standards Council's representative will review and evaluate the vendor's test performance and reports. If an applicant is approved, the vendor's information is added to the list of ASVs on the Council's Web site. Annually thereafter, a Council representative will invite the vendor to participate in re-certification testing, which will follow the steps listed above. An annual fee applies to firms continuing in the program.
If an applicant is denied, re-testing is permitted, upon payment of a re-testing fee. Applicants who are denied three times may not be permitted to test again or may be subject to a waiting period. Denied applicants receive information about their test shortcomings, and are urged to remedy these before attempting a retest.