Up until now, the PCI Data Security Standard (PCI DSS) has always contained criteria for external vulnerability inspections carried out by PCI Approved Scanning Vendors (ASVs). These criteria have also been incorporated in previous versions of certain Self-Assessment Questionnaires (SAQs). In PCI DSS v4.x, criteria for external vulnerability scans performed by an ASV were appended to SAQ A to combat prevalent breaches that are increasingly targeting SAQ A merchant environments.
This fresh resource manual targets individuals seeking information on ASV scans, particularly focusing on SAQ A merchants as they are fulfilling PCI DSS Requirement 11.3.2 for the first time.
The ASV inspection requisites in SAQ A are limited to e-commerce merchant system(s) hosting the page that either 1) forwards payment transactions to a PCI DSS compliant third-party service provider (TPSP) or 2) contains an embedded payment page/form from a PCI DSS compliant TPSP. The objective is for merchants to reduce the risk of a breach by conducting scans and rectifying identified vulnerabilities that could potentially expose their connection to the TPSP’s payment page.
This guide by the PCI Security Standards Council presents essential considerations, educational materials, and frequently asked questions to facilitate a better understanding of PCI DSS Requirement 11.3.2, which mandates proof of successful external scans, conducted by an ASV, at least once every quarter.
About Author
