If you are working for a security consulting company, having your company certified as an Approved Scanning Vendor (ASV) for the Payment Card Industry Data Security Standard (PCI DSS) can add a lucrative new area to your business.
PCI is a worldwide standard that requires companies who accept or process credit cards to comply with certain security standards. One of these requirements is an annual, external vulnerability scan from an authorized scanning vendor, a so-called ASV.
In this blog post, I'd like to walk you through the three steps of becoming an ASV.
Step 1 - Paperwork
To be recognized as an ASV by PCI SSC, the ASV's scanning solution must meet or exceed the requirements described in the Validation Requirements. The candidate ASV must execute the PCI ASV Compliance Test Agreement, attached as Appendix A, with PCI SSC.
The Council reviews each application for completeness and appropriateness, and then, if the vendor and solution are determined eligible for testing, notifies the vendor that the application is accepted, and sends an invoice for applicable fees. You can send this application to firstname.lastname@example.org.
Step 2 - Certify Your Employees
Once the ASV candidate company is administratively validated, the second step of the certification process could begin. PCIco requires that at least two of the ASV employees get qualified as Qualified ASV Employee (QAE - note: not an official acronym).
This qualification consists in an online training of 7 modules (237 slides) about everything one could ever know about PCI. Candidates have 14 days to take the course and associated test (60 questions).
- PCI DSS Program Overview
- Payment Industry Terminology and Relationships
- Compliance Validation, Requirements and Process
- Roles and Responsibilities, ASV Overview and Quality Assurance
- General Requirements for Scanning
- Scan Reporting
- Scanning Vendor Testing and Approval Process
Candidates must be full-time employees and own an industry-recognized security certification(s) (CISSP, CISA or CISM) 1 year of information security experience OR a minimum of five (5) years of relevant information security equivalent work experience. Payment is required prior to the course. The fee is $995 USD per candidate. You can find more info on the PCI ASV training page.
QAE candidatures are submitted to PCIco validation through the ASV portal. A resume is requested for each candidate as well as the selection of a two-week training block. This operation is performed by the primary contact. Once validated candidates receive access to the content of the CBT platform for the two-week block they are registered to. The exam must be completed before the two weeks expiration.
Successful employees are qualified for one year. Employees who fail may retake the training and exam, upon payment of a re-test fee
Step 3 - Certifying Your Solution
This last step requires your company to conduct a scan against a specific testing infrastructure (lab) controlled by an independent laboratory on behalf of PCIco.
I was intimately involved in the ASV program and personally led the certification process until 2008. My last contribution to the ASV certification program was to hand it over to two organizations (labs) selected for their expertise and independency with the council, namely Infogard (US) and EWA (Canada). (If you're interested in the full story, read it here.)http://tiny.cc/z37zu
The laboratory is assigned to the candidate ASV at the time of registration.
The testing infrastructure is actually an unsecured heterogeneous network of about 16 targets, consisting of firewalls, routers, DNS, mail, application and database servers comprised of a diversity of services and applications. Generally speaking both labs are identical. They were originally both based on the same set of images. However, it is very possible that the labs have diverged over time. In principle ASV could expect these infrastructures to be modified (remove or add targets, patch targets) on a yearly basis.
You must certify the same scanning solution that you will use to serve your customers on the field. It could consist of one unique tool or a combination of tools. Be ready to describe your solution at the time of registration.
ASVs must perform external scans in line with the requirements set forth in the ASV operational guide. These requirements consist of procedures (scoping, exclusion handling), scanning configurations and reporting instructions. This certification test isn't about the procedure. It consists of making sure your solution is capable to identify vulnerabilities and report them in accordance with the instructions.
Your input consists of a list of targets. Your output consists of your list of IP sources from where the scan will take place (to be poked in at registration time) and your scan reports (ASV attestation of compliance, Executive summary and detailed report). For this test you are assigned with a scan window of 18 hours. The test infrastructure won't be accessible outside this window.
The primary contact receives an invitation for payment of the testing fee ($10k). Upon reception of payment PCIco invites the primary contact to register the scanning solution in the ASV portal.
After registration the primary contact receives a notification from the lab with a scan window and pre-test conf call with the Lab representative. This conf call is the opportunity for you to ask questions. We do recommend asking if you should treat them as a customer and if you need to follow the full scanning process as per the ASV operational guide. If a scan window doesn't suit you, please ask to change it before the call.
Some advice for the lab test:
- Be prepared - this test is not peanuts.
- Before the test, ensure that you have a clean channel through your ISP. Some of them prevent scanning of some ports or could automatically detect that you are scanning and block you in the middle of your scans.
- Make sure you have enough bandwidth.
- Don't scan too fast. Some solutions can scan the entire test infrastructure in about an hour or two, but I'd advise against it. Configure your scan engine to scan smoothly - one target after the other.
- Be present. Don't just launch the tool(s), monitor them.
- Don't limit yourself to one scan. If the time permits run several scans.
- Compare the results of your scans (in case of multiple scans).
- Check your logs.
- Generate or write your reports and perform a quality checks.
- Make sure to include the potential vulnerabilities.
- Don't forget to fill the special notes section.
- Don't forget to complete the attestation of compliance.
- Encrypt the reports before you send them to the Lab for validation.
How Can Rapid7 Help You?
- Rapid7 fully supports ASVs and ASVs candidates before, during and after their scan test to ensure that you pass the process.
- Before the test date, our support team is happy to walk you through configuration and use of the solution.
- The support team stays at your disposal for any technical questions during the test window, and can review the log files with you to identify any network glitch that could have interfered with your scans.
- Rapid7 will soon provide its partners with access to a test lab to do a test run before the official test date, and to ensure that their ISP is not interfering with the scans.
If you are interested to find out more about becoming an ASV, please send an email to email@example.com. We're more than happy to help you through the process!