ASV Program Modernization Effort

Here is a good one and not the first time this has happened.

According to the PCI SSC’s news release, one or possibly more Approved Scanning Vendors (ASV) have apparently been actively promoting an ‘ASV Program Modernization Effort’.  I have no idea what they would be “modernizing”, but apparently some ASVs think there needs to be modernization of the ASV program.

The bottom line from the Council is that this discussion of a modernization effort is not endorsed by the Council nor is the Council involved in these discussions.  As they stated in bold in the release:

“However, PCI SSC is not a participant in, and in no way endorses, is affiliated with, sponsors, or has contributed to the above-noted “ASV Program Modernization Effort.”

I am betting the ASVs involved in this effort are wishing they were not involved.  It clearly states in the various Code Of Conduct and contracts that such efforts are not allowed and can result in remediation and even termination of an ASV from the PCI program.

The lesson to be learned here is that if you are an ASV, QSAC, PA-QSAC or in any way affiliated with the PCI Council through one of their programs and you are approached about the ‘ASV Program Modernization Effort’ be polite but ignore it.


6 Responses to “ASV Program Modernization Effort”

  1. 1 Seth Rich
    June 5, 2018 at 11:30 AM

    @PCIGuru can you qualify with PCI SSC references, your statement “It clearly states in the various PCI program guides and contracts that such efforts are not allowed and can result in remediation and even termination of an ASV from the PCI program.” Thanks!

    • June 5, 2018 at 1:53 PM

      I cannot provide anything in the contracts because I do not have access to those. Only the PCI Key Contact for your organization has access to those contracts.

      As someone else pointed out to me, it is actually in the Code Of Conduct published by the PCI SSC where they call out their ability to sanction people for inappropriate conduct.

  2. 3 mrk82
    June 1, 2018 at 2:46 PM

    take a look into content of this book personally i found very handy to resolve PCI DSS implementation issues from this book. hope new comers will gain some serious information from that book worth to buy.


  3. 4 John Roland
    June 1, 2018 at 8:35 AM

    Thank you for raising awareness to this


  4. June 1, 2018 at 8:17 AM

    There is merit in revisiting the ASV Program Guide and creating an actual ASV Testing Standard.
    Like QSAs, no two ASVs are the same. I use two different ASV scanners/attestation services and I consistently get different results. I actually use a third ASV scanner but I don’t use their attestation services. I consistently get a PCI fail on any given test from one scanner, but the others give me a pass. Go figure.


    • June 2, 2018 at 7:23 AM

      Most ASVs use Qualys for their vulnerability scanning. Qualys was the first one to provide a Web interface for the scheduling and running of scans, hence it’s wide use. Differences come from ASVs that set their Qualys configurations different from Qualys’ recommendations as well as ASVs that use a different scanning engine such as Tenable, IP360 or any other scanner. No different than if you used different scanners in-house, a practice I have always recommended just to keep scanning vendors honest.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

June 2018

%d bloggers like this: