What Is a PCI Approved Scanning Vendor?

If you want to be compliant with Payment Card Industry Data Security Standards (PCI DSS), then you’re required to perform quarterly scans of your internal and external networks using an approved scanning vendor, or ASV.

Sure, you could not do that and run afoul of PCI DSS and get fined by your acquiring bank… and lose the right to accept payment cards… and get dropped by the aforementioned bank… and then have to lay off all of your employees and liquidate your inventory… and sell your home to cover the debt — all the while lamenting that you shouldn’t just done the scans…

You do you, man.

However, in the event you’d like to avoid a calamitous downfall, let’s talk about PCI approved scanning vendors, or ASVs, and what’s required of you.

Who Has to Perform PCI Scans?

Everyone has to do PCI Scans — period. Requirement 11 specifies that and lays it all out in black and white. This means that you’ll need to perform quarterly scans of your environment and submit reports to your acquiring bank.

There are two kinds of scans EVERYONE has to run, and third type that’s more limited. Let’s start with what everyone has to do:

• External Scans. All of the IP addresses/ranges that are public facing on your network need to be scanned quarterly. You can do this fairly easily, especially if you use Comodo’s HackerGuardian PCI scanner, which takes just minutes to set up and start your first scan.
• Internal Scans. You’ll need to run internal scans to ensure that the safeguards you have in place are working and ready. Again, Comodo HackerGuardian can take care of this in just a few simple steps.
• Application Scans. If you’re deploying web applications that are public facing, especially if you’re developing those applications, you need to scan those quarterly as well. Comodo HackerGuardian can do this alongside your external scans.

To perform these scans, you need to go through a PCI approved scanning vendor such as Comodo CA.

So, What Is an Approved PCI Scanning Vendor?

A PCI DSS approved scanning vendor is not unlike a certificate authority (CA). In fact, a lot of approved scanning vendors ARE certificate authorities. That’s because CAs are required to operate openly and with complete transparency. They undergo regular audits and reviews to maintain their trusted status. In other words, they’re highly reputable and want to stay that way. So, when they say you ran a scan, the PCI SSC can trust and believe it.

But not all approved scanning vendors are equal. Some operate with a malware library that’s nowhere near as extensive as others. Other scanners don’t offer remediation advice, which forces organizations to seek out their own solutions and oftentimes requires paying an outside firm to assist.

Speaking from experience, we recommend using Comodo HackerGuardian for your scanning needs. Not only does it produce ready-to-submit reports, but it’s also the cheapest scanner on the market. Comodo CA has built its scanner on top of its antivirus’s malware definitions. Normally, this solution retails for about $250 when you buy it from Comodo CA directly. At ComodoSSLstore.com, we sell it for as little as $72.42 per year.

You have to scan if you want to be compliant, avoid non-compliance penalties, and just do right by your customers. But why pay more than you have to? Get the right solution for your business at the best price.