I Just Could Not Keep My Mouth Shut

I will give Hoyt Ketterson the credit for my question to the Council in the Assessor Session at the end of the 2022 North American PCI Community Meeting in Toronto.

There I was, just minding my own business with a list of questions I wanted to ask the Council. Hoyt asked about compensating control worksheets (CCW) and used an example of a merchant that had missed one Approved Scanning Vendor (ASV) scan that caused him to create a CCW for that issue.  That triggered a flashback to a client I had dealt with a couple of months earlier who had 12 monthly external scanning reports from an ASV, but due to an information security employee leaving, they only had two “ASV Certified Scans” because they forgot to click on the scanning portal site to make the other two quarterly scans “ASV Certified”. So much for those other questions on my list.

Before discussing my question and the rationale behind it, a quick bit of history as to how we got the ASV program in the first place.

Back before we had the PCI SSC, we had the various Card Brand compliance programs, Mastercard had their Site Data Protection (SDP) program that focused on eCommerce site security.  [That program still exists by the way, but now it supplements the PCI DSS.]  Part of that program was that Mastercard operated a security lab in the EU that prospective ASV organizations were required to scan against and produce a report of all of the vulnerabilities they found. Representatives of Mastercard would review those scanning results and would certify the organization to be an ASV if they passed the test.

Back then, consulting firms that were Qualified Security Assessor Companies (QSAC) were typically an ASV as well [You do NOT want a client going elsewhere for services you can also provide.] and were using tools like Internet Security Scanner and Nessus to conduct scans.  The process to get vulnerability scans run was a very manual and, at times, a time-consuming process.  It was an art form to properly configure these tools to get accurate results.  This is why Mastercard set up a testing lab to insure that ASVs were providing accurate results.  ASVs were required to test against the Lab and recertify annually to ensure that their scans are accurate. [Today, that still occurs but the vendor instructs all ASVs how to properly configure their specific scanner to pass the PCI SSC scanning testing.]

With that background, here is my question.

“What is the point of the ASV program today?”, I asked the round table participants.

Fast forward to today and now most ASVs are just rebranding and reselling ASV portals from Qualys, Tenable and Rapid7.  Which obviously leads to my question given where we are today and the rationale for my question.

• The ASV of today is nothing like the ASV of yesteryear from when things started with Mastercard’s SDP program. The process is hardly manual and is totally automated.
• A person no longer manually configures, initiates or monitors the scanning process. In 99% of cases, the only time an ASV is involved is if the merchant or service provider needs to discuss false positive results and to have them removed from the report.
• ASV scanning today uses the same scanner and settings. The only thing that makes an ASV scan an “ASV Certified Scan” is that the end user typically clicks on a button or check box to make it such.
• The assessed entity is the one that initiates the scans, not the ASV. Which really makes you wonder about the requirement for ensuring that the person running the scan is qualified. What qualifications does anyone need to click a button to start a preset, preconfigured scan?
• Now a days, vulnerability scans are scheduled so no human being initiates a scan. Which makes you wonder why someone has to check a box or click a button to initiate an ASV Certified Scan. Why is that also not automated?
• 99% of ASVs use a portal operated by one of known vulnerability scanner vendors. Unlike the good old days when each ASV configured and operated one of many vulnerability scanners. This can lead to some frustration with the ASVs that are not also the vendor of the scanner. I have been personally involved in situations where the vendor makes a change to their scanner and while they pass their ASV test, my organization did not. Thus forcing me to work with the vendor (also an ASV competitor) to tweak the configuration of their scanner so that my organization can also pass.

The bottom line is that the current ASV scanning process is nothing like the processes that began the ASV certification process almost 20 years ago.

The Council has agreed that further discussion on the subject is needed to understand today’s external vulnerability scanning processes and has promised to initiate those discussions. So stay tuned as change may be coming.

Advertisement

The Final Draft Of PCI DSS v4 Is Available

The wait is over for participating organizations, QSACs and ASVs. The PCI SSC announced this morning that the final draft of PCI DSS v4 is available to the primary contacts of those organization via the PCI Portal. The Council reiterated that the public release of PCI DSS v4 will be by the end of March 2022.

I guess I know where my weekend will be spent provided my primary contact downloads it today for me.

UPDATE: We really need to see the Report On Compliance (ROC) Reporting Template. There is some interesting stuff in the draft, but without the Reporting Template it is very hard to judge the impact the new version will have on assessments.

PCI Dream Team LIVE! Is Coming In October

The PCI Dream Team will be appearing LIVE at the (ISC)² Security Congress in Orlando this Fall, Monday, October 18 through Wednesday, October 20, 2021.   Our session is scheduled for Tuesday, October 19, at 11:45 AM ET/ 1545 UTC.

While we will be live at the conference, you can also attend the conference and our session virtually.  So other than training budget limitations, there is no other good reason you cannot join us.

As usual, we will be taking questions live and via email at pcidreamteam AT gmail DOT com.  We also monitor Twitter if you use #pcidreamteam.

We are expecting our usual lively discussion of all topics PCI and other security standards if time allows.

We really are looking forward to physically seeing people at the conference.

ASV Program Modernization Effort

Here is a good one and not the first time this has happened.

According to the PCI SSC’s news release, one or possibly more Approved Scanning Vendors (ASV) have apparently been actively promoting an ‘ASV Program Modernization Effort’.  I have no idea what they would be “modernizing”, but apparently some ASVs think there needs to be modernization of the ASV program.

The bottom line from the Council is that this discussion of a modernization effort is not endorsed by the Council nor is the Council involved in these discussions.  As they stated in bold in the release:

“However, PCI SSC is not a participant in, and in no way endorses, is affiliated with, sponsors, or has contributed to the above-noted “ASV Program Modernization Effort.”

I am betting the ASVs involved in this effort are wishing they were not involved.  It clearly states in the various Code Of Conduct and contracts that such efforts are not allowed and can result in remediation and even termination of an ASV from the PCI program.

The lesson to be learned here is that if you are an ASV, QSAC, PA-QSAC or in any way affiliated with the PCI Council through one of their programs and you are approached about the ‘ASV Program Modernization Effort’ be polite but ignore it.