Approved Scanning Vendor (ASV)™ Qualification

The Approved Scanning Vendor (ASV) training program, for staff and security personnel of Approved Scanning Vendor companies, covers the Payment Card Industry, Payment Card Industry Data Security Standards requirements, and scan testing procedures. With the knowledge gained in this training, staff will be better equipped to serve their customers in ensuring the quality of scan outputs and providing reports that are complete and accurate.

Upon completing this training, you’ll be able to perform external vulnerability scans, submit the appropriate scan report, and maintain internal quality assurance for scanning efforts.

Course Highlights

This self-paced online eLearning training program covers:

  • PCI DSS Program Overview: Outlines the PCI DSS lifecycle and the 12 requirements of PCI DSS.
  • Payment Industry Terminology and Relationships: Provides an overview of the payment industry terminology, key service provider relationships and the transaction flows associated with various payment industry processes.
  • Compliance Validation, Requirements and Process: Outlines merchant and service provider levels, and validation and reporting requirements for merchant levels and service providers by payment brands.
  • Roles and Responsibilities, ASV Overview and Quality Assurance: Discusses roles and responsibilities, and covers aspects of external vulnerability scanning, such as overview of the scan process, scoping an ASV scan, the ASV scan solution, scan reporting, and quality assurance.
  • General Requirements for Scanning: Reviews contracting, scope for ASV scans, procedures for scan customers and ASVs, and the characteristics of scan solutions.
  • Scan Reporting: Examines scan report contents, reading and interpreting reports, vulnerability reporting, and the Common Vulnerability Scoring System or CVSS.
  • Scanning Vendor Testing and Approval Process: Details the testing and approval process for ASV companies.
  • The online course is a self-paced five (5) hour course. Following the completion of the course, trainees will take a 75 question multiple choice exam.
  • Five (5) Continuing Professional Education (CPE) hours are granted for completion of the course along with a 12 month certification.

Right for You?

You are employed by an Approved Scanning Vendor company, and assess and validate scanning requirements for PCI DSS compliance. Typical applicants include Information Security Analysts, Specialists, Consultants, Advisors, or Engineers.

Prices

Course Price

New ASV Training (eLearning only)

$1,350 USD

Requalification ASV Training

$1,350 USD

New ASV Exam Retake fee via Pearson VUE

$185 USD

Training class change fee

$185 USD

Please note: Unless otherwise specified, all fees are in US Dollars. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.

Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.

training-become-asv-company.jpg

Your organization must be an ASV company to register candidates for ASV training.

How to Prepare for the Exam

Prior to the training class, you should familiarize yourself with these publications on the PCI website:

  • PCI Glossary
  • PCI DSS
  • PCI DSS Validation Requirements for Approved Scanning Vendors
  • PCI Approved Scanning Vendors Program Guide

Training Formats/Exam Information

New Training Offerings:

  • eLearning: Self-paced computer-based training (CBT)

New Exam Specifics:

  • All exams are closed book.
  • Exam is 75 multiple choice questions with a 90-minute time limit.
  • Results of Pearson Vue exams are delivered upon completion of the exam.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is your grade.
  • If you fail the exam, you are allowed one retake (within 30 days of failure notice) for a fee.

Registration Process​

PCI SSC currently qualifies only individuals who work for qualified ASV Companies. Candidates must be a full-time employee of an ASV Company in order to register for ASV Training and qualify as an ASV Employee. All training inquiries and assignments must be submitted through the ASV Company’s primary contact.

Please see the Qualification Requirements for Approved Scanning Vendors for more details. 

Applicants supply a resume reflecting these minimum requirements:

  • Possess a minimum of three (3) years of information security experience as follows:
    • A minimum of one (1) year in vulnerability scanning and/or penetration testing;
    • At least two (2) years in any two of the following areas of expertise, with a minimum of one year in each discipline: Network security, Application security, System security, IT security auditing, IT security risk assessment
  • Possess ONE of the following:
    • A current industry-recognized security certification:  CISA, CISM, CISSP
      OR
      An additional two (2) years experience in at least two of the following areas of expertise, with a minimum of one year in each discipline: Network security, Application security, System security, IT security auditing, IT security risk assessment

Requalification Requirements

In order to maintain the high standards set for this certification, all ASV employees must re-certify every 12 months in order to continue as an ASV for their company.


Requalification specifics:

  • Approved assessors are allowed to register for requalification training as early as 90 days prior to their expiration date. Once registered, they will receive immediate access to the eLearning training.
  • Registration must be submitted no later than the candidate’s expiration date.
  • Exam access is given no earlier than four (4) weeks prior to expiration date AND invoice is paid.
  • An Assessor who is not registered for requalification training before midnight Eastern Time on their qualification expiration date, or who does not achieve a passing score on the exam by the end of their qualification period, will be required to re-enroll as a new candidate.


Requalification exam:

  • Non-proctored remote exam
  • 60 multiple choice questions with a 75-minute time limit.
  • 75% or higher to pass the exam; the only information that can be released concerning exams is the grade.
  • If you fail the exam, please have the primary contact email administration@pcisecuritystandards.org for the next steps.

Information related to the approach and scope was most useful – plus the case studies were very good and helped develop practical insight.

The ASV training course was very useful, especially the study of SCORE CVSS vectors and their direct involvement with PCI DSS.