I will give Hoyt Ketterson the credit for my question to the Council in the Assessor Session at the end of the 2022 North American PCI Community Meeting in Toronto.
There I was, just minding my own business with a list of questions I wanted to ask the Council. Hoyt asked about compensating control worksheets (CCW) and used an example of a merchant that had missed one Approved Scanning Vendor (ASV) scan that caused him to create a CCW for that issue. That triggered a flashback to a client I had dealt with a couple of months earlier who had 12 monthly external scanning reports from an ASV, but due to an information security employee leaving, they only had two “ASV Certified Scans” because they forgot to click on the scanning portal site to make the other two quarterly scans “ASV Certified”. So much for those other questions on my list.
Before discussing my question and the rationale behind it, a quick bit of history as to how we got the ASV program in the first place.
Back before we had the PCI SSC, we had the various Card Brand compliance programs, Mastercard had their Site Data Protection (SDP) program that focused on eCommerce site security. [That program still exists by the way, but now it supplements the PCI DSS.] Part of that program was that Mastercard operated a security lab in the EU that prospective ASV organizations were required to scan against and produce a report of all of the vulnerabilities they found. Representatives of Mastercard would review those scanning results and would certify the organization to be an ASV if they passed the test.
Back then, consulting firms that were Qualified Security Assessor Companies (QSAC) were typically an ASV as well [You do NOT want a client going elsewhere for services you can also provide.] and were using tools like Internet Security Scanner and Nessus to conduct scans. The process to get vulnerability scans run was a very manual and, at times, a time-consuming process. It was an art form to properly configure these tools to get accurate results. This is why Mastercard set up a testing lab to insure that ASVs were providing accurate results. ASVs were required to test against the Lab and recertify annually to ensure that their scans are accurate. [Today, that still occurs but the vendor instructs all ASVs how to properly configure their specific scanner to pass the PCI SSC scanning testing.]
With that background, here is my question.
“What is the point of the ASV program today?”, I asked the round table participants.
Fast forward to today and now most ASVs are just rebranding and reselling ASV portals from Qualys, Tenable and Rapid7. Which obviously leads to my question given where we are today and the rationale for my question.
- The ASV of today is nothing like the ASV of yesteryear from when things started with Mastercard’s SDP program. The process is hardly manual and is totally automated.
- A person no longer manually configures, initiates or monitors the scanning process. In 99% of cases, the only time an ASV is involved is if the merchant or service provider needs to discuss false positive results and to have them removed from the report.
- ASV scanning today uses the same scanner and settings. The only thing that makes an ASV scan an “ASV Certified Scan” is that the end user typically clicks on a button or check box to make it such.
- The assessed entity is the one that initiates the scans, not the ASV. Which really makes you wonder about the requirement for ensuring that the person running the scan is qualified. What qualifications does anyone need to click a button to start a preset, preconfigured scan?
- Now a days, vulnerability scans are scheduled so no human being initiates a scan. Which makes you wonder why someone has to check a box or click a button to initiate an ASV Certified Scan. Why is that also not automated?
- 99% of ASVs use a portal operated by one of known vulnerability scanner vendors. Unlike the good old days when each ASV configured and operated one of many vulnerability scanners. This can lead to some frustration with the ASVs that are not also the vendor of the scanner. I have been personally involved in situations where the vendor makes a change to their scanner and while they pass their ASV test, my organization did not. Thus forcing me to work with the vendor (also an ASV competitor) to tweak the configuration of their scanner so that my organization can also pass.
The bottom line is that the current ASV scanning process is nothing like the processes that began the ASV certification process almost 20 years ago.
The Council has agreed that further discussion on the subject is needed to understand today’s external vulnerability scanning processes and has promised to initiate those discussions. So stay tuned as change may be coming.
PCI Guru 