01
Jun
18

ASV Program Modernization Effort

Here is a good one and not the first time this has happened.

According to the PCI SSC’s news release, one or possibly more Approved Scanning Vendors (ASV) have apparently been actively promoting an ‘ASV Program Modernization Effort’.  I have no idea what they would be “modernizing”, but apparently some ASVs think there needs to be modernization of the ASV program.

The bottom line from the Council is that this discussion of a modernization effort is not endorsed by the Council nor is the Council involved in these discussions.  As they stated in bold in the release:

“However, PCI SSC is not a participant in, and in no way endorses, is affiliated with, sponsors, or has contributed to the above-noted “ASV Program Modernization Effort.”

I am betting the ASVs involved in this effort are wishing they were not involved.  It clearly states in the various Code Of Conduct and contracts that such efforts are not allowed and can result in remediation and even termination of an ASV from the PCI program.

The lesson to be learned here is that if you are an ASV, QSAC, PA-QSAC or in any way affiliated with the PCI Council through one of their programs and you are approached about the ‘ASV Program Modernization Effort’ be polite but ignore it.


6 Responses to “ASV Program Modernization Effort”


  1. 1 Seth Rich
    June 5, 2018 at 11:30 AM

    @PCIGuru can you qualify with PCI SSC references, your statement “It clearly states in the various PCI program guides and contracts that such efforts are not allowed and can result in remediation and even termination of an ASV from the PCI program.” Thanks!

    • June 5, 2018 at 1:53 PM

      I cannot provide anything in the contracts because I do not have access to those. Only the PCI Key Contact for your organization has access to those contracts.

      As someone else pointed out to me, it is actually in the Code Of Conduct published by the PCI SSC where they call out their ability to sanction people for inappropriate conduct.

  2. 3 mrk82
    June 1, 2018 at 2:46 PM

    take a look into content of this book personally i found very handy to resolve PCI DSS implementation issues from this book. hope new comers will gain some serious information from that book worth to buy.

    https://www.amazon.com/PCI-DSS-3-2-Comprehensive-Understanding/dp/1984381938

  3. 4 John Roland
    June 1, 2018 at 8:35 AM

    Thank you for raising awareness to this


    https://polldaddy.com/js/rating/rating.js

  4. June 1, 2018 at 8:17 AM

    There is merit in revisiting the ASV Program Guide and creating an actual ASV Testing Standard.
    Like QSAs, no two ASVs are the same. I use two different ASV scanners/attestation services and I consistently get different results. I actually use a third ASV scanner but I don’t use their attestation services. I consistently get a PCI fail on any given test from one scanner, but the others give me a pass. Go figure.


    https://polldaddy.com/js/rating/rating.js

    • June 2, 2018 at 7:23 AM

      Most ASVs use Qualys for their vulnerability scanning. Qualys was the first one to provide a Web interface for the scheduling and running of scans, hence it’s wide use. Differences come from ASVs that set their Qualys configurations different from Qualys’ recommendations as well as ASVs that use a different scanning engine such as Tenable, IP360 or any other scanner. No different than if you used different scanners in-house, a practice I have always recommended just to keep scanning vendors honest.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

June 2018
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,422 other followers


%d bloggers like this: