thePCI Portal

What should be included in ASV scans?

ASV Program Guide v3.1 (July 2018)

5.5 ASV Scan Scope Definition
For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component that may provide access to the CDE.
In addition to providing the ASV with all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into system components for the entire in-scope infrastructure including, but not limited to:

      • Domains for web servers
      • Domains for mail servers
      • Domains used in name-based virtual hosting
      • Web server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
      • Any other public-facing hosts, virtual hosts, domains or domain aliases

The scan customer must define and attest to its scan scope prior to the ASV finalizing the scan report. The scan customer is ultimately responsible for defining the appropriate scope of the external vulnerability scan and must provide all Internet-facing components, IP addresses and/or ranges to the ASV. If an account data compromise occurs via an externally-facing system component not included in the scan scope, the scan customer is responsible.

Note: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (CDE). The CDE is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.

Examples of system components include but are not limited to the following:

      • Systems that provide security services (for example, authentication servers) facilitate segmentation (for example, internal firewalls) or may impact the security of (for example, name-resolution or web-redirection servers) the CDE.
      • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
      • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
      • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
      • Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
      • Any other component or device located within or connected to the CDE.

Ad below this line:

Leave a Reply