Society of Payment Security Professionals - Payment Security Blog

Technical and Operational Requirements for Approved Scanning Vendors

For some reason, I’ve run into an inordinate number of questions this week regarding vulnerabilities that weren’t addressed directly in the PCI-DSS — or at least only addressed in a cursory fashion. The document that contains many of these gems is one that most may gloss over; the Technical and Operational Requirements for Approved Scanning Vendors.

Some specific entries of note:

On IDS/IPSs:

Under no circumstance should an intrusion detection system/intrusion prevention system (IDS/IPS) be permitted to interfere with the results of a vulnerability assessment.

On unsupported software:

The ASV must report and determine as non-compliant any identified obsolete software (for example, application software or operating systems (OSs) no longer supported by the respective manufacturers.

On CVSS:

Generally, to be considered compliant, a component must not contain any vulnerability that has been assigned a CVSS base score equal to or higher than 4.0.

On web-application vulnerabilities:

The presence of application vulnerabilities on a component that
may lead to SQL injection attacks and cross-site scripting flaws
must result in a non-compliant status for that component

On denial-of-service:

Vulnerabilities or mis-configurations that may lead to DoS should not be taken into consideration by the ASV when determining component compliance

The quarterly perimeter scan is only a small part of PCI compliance, but it’s rife with idiosyncrasies and requirements for all parties involved.