The Standard for Data Security in Payment Card Industry (PCI DSS) has for a long time specified the necessity of external vulnerability assessments carried out by Approved Scanning Vendors (ASVs). These requirements were already present in earlier versions of some Self-Assessment Questionnaires (SAQs). With the introduction of PCI DSS v4.x, the demands for external vulnerability scans conducted by an ASV were incorporated into SAQ A to combat the increasing rate at which common breaches are targeting merchant environments assessed by SAQ A.
This new detailed guide aims to assist anyone seeking information regarding ASV scans, particularly focusing on SAQ A merchants as they undertake PCI DSS Requirement 11.3.2 for the first time.
The criteria for ASV scans in SAQ A specifically pertain to e-commerce merchant framework(s) that manage the webpage either 1) redirecting payment transactions to a third-party service provider (TPSP) compliant with PCI DSS or 2) containing an embedded payment page/form from a TPSP compliant with PCI DSS. The objective is for merchants to diminish the chances of compromise by scanning for and rectifying identified vulnerabilities that might potentially expose their connection to the TPSP’s payment page.
In this comprehensive resource manual, the PCI Security Standards Council shares vital considerations, educational materials, and commonly asked queries to foster a better comprehension of PCI DSS Requirement 11.3.2, which mandates presentation of proof of passing external scans, overseen by an ASV, at least once every quarter.
About Author
