usd AG Again Accredited as Worldwide Approved Scanning Vendor (ASV)

9. June 2021

"A few days ago we again received the worldwide accreditation as Approved Scanning Vendor (ASV) with our usd PCI DSS Platform and our ASV Scanning Services," Andreas Duchmann, Managing Director of usd AG, is pleased to announce. "This means that we have consistently passed the international ASV qualification for 16 years. This is an important proof of our competence and quality in performing automated, technical vulnerability scans."

As part of their PCI DSS certification, companies that process, store or forward credit card data must check their affected IT systems for vulnerabilities with an external scan on a quarterly basis. These scans may only be performed by an ASV that is audited, accredited, and on the official list of approved scanning vendors by the PCI Security Standards Council (PCI SSC); results from non-accredited suppliers are effectively revoked by the PCI SSC.

Annual Accreditation

All ASV organizations must undergo annual re-accreditation with the PCI SSC. In doing so, relevant suppliers must meet or exceed the requirements from the Qualification Requirements for Approved Scanning Vendors. The review is based on a structured, transparent process and requires, among other things, participation in required training sessions, an audit of the ASV staff and, most importantly, a successful test result in the PCI SSC's ASV Lab Scan Test.

Scanning Solution Is Tested in Depth

Stephan Neumann, Head of usd HeroLab, who accompanied the accreditation of the scanning solution, reports, "The review of the scanning solution does not only look at processes and organizations. Our usd PCI DSS Platform was tested in the ASV validation lab of the PCI SSC as part of a vulnerability analysis that mimics reality. These are simulated network environments with vulnerable hosts and network devices in which the scanning solution has to detect, identify and report all technical vulnerabilities within one day. In some cases, these are complex vulnerabilities that can only be found with the best tools based on years of experience."

This ASV Lab Scan Test verifies that the submitted scan solution meets the current technical requirements: all vulnerabilities must be identified, correctly assessed and adequately documented in the scan test report. This is the only way to ensure that actual threats to clients will be correctly identified later.

ASV - More Than Just a Scan

The service provided by an Approved Scanning Vendor goes beyond a purely technical scanning solution. At least two ASV staff members are also responsible for performing and managing the PCI scanning services. The use of these experts, trained and accredited by the PCI SSC, ensures that scan results are separately reviewed and evaluated. In dialog with the client, ASV staff also explain open questions about findings and point out sensible recommended measures for remediation.

The Importance of Quality

Another important requirement as part of the accreditation process is the review of the quality assurance process. This process ensures that the following steps are adhered to before a scan report is submitted to the client: ASV scan results are analyzed for inconsistencies, false positives are verified, report confirmations are recorded, and the final report is reviewed.

"We set high quality standards for our PCI DSS Platform and are constantly developing it. When selecting our colleagues responsible for the ASV scans, we also emphasize experience in manual security analyses. This enables them to qualitatively evaluate the scan results and provide our clients with the best possible advice," describes Andreas Duchmann.


Would you like support with your PCI DSS certification? Get in touch.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories