PCI Security Standards Council®

Approved Scanning Vendor (ASV)™ Qualification

The Approved Scanning Vendor (ASV)™ training program, for staff and security personnel of Approved Scanning Vendor companies, is comprised of an in-depth eight-hour online course and exam covering the Payment Card Industry, Payment Card Industry Data Security Standards requirements and scan testing procedures. With the knowledge gained in this training, staff will be better equipped to serve their customers in ensuring the quality of scan outputs and providing reports that are complete and accurate.

Upon completing this course, you’ll be able to perform external vulnerability scans, submit the appropriate scan report, and maintain internal quality assurance for scanning efforts.

Become Qualified

Right for you if…

You are employed by an Approved Scanning Vendor company, and assess and validate scanning requirements for PCI DSS compliance. Typical applicants include Information Security Analysts, Specialists, Consultants, Advisors, or Engineers.

Course Details

Course Description

This eight-hour online eLearning training program offers:

  • PCI DSS Program Overview
    Outlines the PCI DSS lifecycle and the 12 requirements of PCI DSS.
  • Payment Industry Terminology and Relationships
    Provides an overview of the payment industry terminology, key service provider relationships and the transaction flows associated with various payment industry processes.
  • Compliance Validation, Requirements and Process
    Outlines merchant and service provider levels, and validation and reporting requirements for merchant levels and service providers by payment brands.
  • Roles and Responsibilities, ASV Overview and Quality Assurance
    Discusses roles and responsibilities, and covers aspects of external vulnerability scanning, such as overview of the scan process, scoping an ASV scan, the ASV scan solution, scan reporting, and quality assurance.
  • General Requirements for Scanning
    Reviews contracting, scope for ASV scans, procedures for scan customers and ASVs, and the characteristics of scan solutions.
  • Scan Reporting
    Examines scan report contents, reading and interpreting reports, vulnerability reporting, and the Common Vulnerability Scoring System or CVSS.
  • Scanning Vendor Testing and Approval Process
    Details the testing and approval process for ASV companies.

How to Prepare

Prior to the training class, you should familiarize yourself with these publications on the PCI website:

  • PCI Glossary
  • PCI DSS
  • PCI DSS Validation Requirements for Approved Scanning Vendors
  • PCI Approved Scanning Vendors Program Guide
Training and Exam

PCI ASV training is scheduled in two-week blocks, two times per month, from the 1st to the 14th and the 15th to the 28th. The last training course of the year is December 15-28; training resumes on February 1st. Registering for the training block provides attendees access to the content for the entire two-week period, during which the eight-hour course and exam can be completed at any time.

Attendees have access to the content for the entirety of the two-week block, but the exam must be completed before the two weeks is expired. Attendees will no longer have access to training content after this period.

The primary contact at the ASV company will be notified two weeks after the ASV registers and takes the PCI ASV exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the ASV Company will receive a certificate that validates the employee for the next 12 months.

Registration

PCI SSC currently qualifies only individuals who work for qualified ASV Companies. Candidates must be a full-time employee of an ASV Company in order to register for ASV Training and qualify as an ASV Employee. All training inquiries and assignments must be submitted through the ASV Company’s primary contact.

Please see the Qualification Requirements for Approved Scanning Vendors v2.1, December 2013 for more details. 

Applicants supply a resume reflecting these minimum requirements:

  • Possess a minimum of three (3) years of information security experience as follows:
    • A minimum of one (1) year in vulnerability scanning and/or penetration testing;
    • At least two (2) years in any two of the following areas of expertise, with a minimum of one year in each discipline: Network security, Application security, System security, IT security auditing, IT security risk assessment
  • Possess ONE of the following:
    • A current industry-recognized security certification:  CISA, CISM, CISSP
    • OR
    • An additional two (2) years experience in at least two of the following areas of expertise, with a minimum of one year in each discipline: Network security,Application security, System security, IT security auditing, IT security risk assessment

Learn More

Requalification

Requalification is required annually via eLearning training and examination.

  • All training inquiries and assignments must be submitted through the ASV company's primary contact.
  • PCI SSC requires all training attendees to be full time employees of a Validated ASV company.
  • Proof of information systems assessment training within the last 12 months to support professional certifications (even if the employee does not have professional certifications), of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 Continuing Professional Education (CPE) hours over the rolling three year period.
    • Training provided by PCI SSC will count towards the annual CPE hours.
    • Click here for information on activities that qualify for CPE Hours.
  • Please submit all requalification requests to coordinator@pcisecuritystandards.org
  • Any requalification training request sent without the ASVs CPE hours for the past 12 months will not be processed.
  • All ASV Program training attendees will be required to sign and accept the terms of the PCI SSC ASV Employee Certification form at the time they begin the CBT training.
  • Payment of the training invoice must be received before login information will be created and sent to the primary contact.

Upcoming Courses

eLearning

Training is scheduled in two-week blocks, two times per month, from the 1st to the 14th and the 15th to the 28th, beginning February 1st.    

The fee is $1095 USD.
Requalification fee is $1095 USD.

Please note:  Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.

Request More Information