Overview of Nettitude's ASV scanning for PCI DSS

1. Excellence as Standard
How Nettitude can help with your PCI DSS ASV Vulnerability Scanning:
Vulnerability scanning is a key component within the PCI Data Security Standard. A malicious attack will very
often begin with a gentle and often remote probe of the security posture of an organisation. The publically
available perimeter of an organisation is by its nature potentially open to all kinds of sources of attacks. This
can then be the entry point for a full blown assault upon your network and/or data.
A strong security posture may change at any time as new vulnerabilities in operating systems are uncovered,
or when unchecked changes are implemented or even when a combination of a number of factors reveal an
unknown weakness that has existed all along.
The purpose of a Vulnerability Assessment is to be confidant on a regular basis that your systems and
infrastructure is well configured, well patched and well designed to prevent malicious attackers from having
an opportunity.
Nettitude is qualified as an Approved Scanning Vendor (ASV) to perform these Vulnerability Assessments.
WHAT DO THE PCI SECURITY STANDARDS COUNCIL SAY?
PCI DSS requires that if you transmit, process or store Card Holder Data then some form of Vulnerability Scan
will most probably need to be completed. Your Acquiring Bank/Payment Brands will advise you accordingly.
The requirement is found is Section 11 of the PCI DSS and consists of the following statement:
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant
change in the network (such as new system component installations, changes in network topology,
firewall rule modifications, product upgrades).
HOW DO I PERFORM EXTERNAL SCANNING?
The external scanning must be performed by an Approved Scanning Vendor (ASV) who has been authorised
and approved by the Security Standards Council (SSC). This accreditation is renewed each year and a list of
ASV’s published on the Councils website at: https://www.pcisecuritystandards.org/pdfs/asv_report.html
This scanning must be done every quarter and the reports will need to be submitted to your Acquiring
Bank/Card Brand along with your relevant Self Assessment Questionnaires (SAQ) or QSA Reports on
Compliance (ROC).
The report that you submit must come back with a clean passing result. It is essential that any vulnerabilities
that result in a failure are dealt with and rectified immediately so that a set of clean reports can be
maintained. Submitting less than 4 passing quarterly reports may lead to a non-compliance.

2. WHAT INFORMATION DO I NEED TO GATHER?
• Obtain a list of all Internet-facing Internet Protocol (IP) addresses and/or ranges. This must
include all network components and devices that are involved in e-commerce transactions or retail
transactions that use IP to transmit data over the Internet. This typically includes any routers,
firewalls, load balancers, etc.
• If domain-based virtual hosting is employed, obtain a list of all domains to be scanned (For
example if you have a number of hosted websites)
• If you have an IPS /IDS deployed then this must be set to allow testing traffic from the ASV to pass
unrestricted.
The responsibility is on the merchant to provide this info to the ASV. If a breach takes place through neglect of
providing the correct or full range of required addresses/hosts then this liability will be down to the Merchant.
HOW CAN NETTITUDE HELP?
• Timely Service - Nettitude works closely with its customers to provide a helpful and timely service for
ASV scanning. Work can be scheduled quickly and remediation assistance and re-scans provided where
needed.
• Personal Service - Nettitude not only offers the required scanning services but also provides a hands
on, personal approach to the testing.
• Professional Service - Very often first scans will result in a wide range of issues that need to be
addressed. Remediation advice is contained in all Nettitude’s reports but you will also have direct
access to the security consultant who oversaw your scan and produced your report.
• Thorough Service - During scanning if Nettitude comes across active IP addresses that were not
originally provided by the customer, we will consult with the customer to determine if these IP
addresses should be included.
• Qualified Service - Nettitude will then scan the provided list of active IP addresses and/or domains for
known vulnerabilities and configuration issues and produce a report detailing the finding, PCI results
and remediation advice.
• Complete Service - ASV scanning is only one small part of the whole PCI process to which Nettitude is
very committed. You will be assured of qualified, professional, timely assistance with a personal
approach to your needs.
INTERNAL SCANNING
Nettitude is also well placed to assist with internal scanning. This can be achieved though on site audits if
required or can be completed by internal staff if appropriately qualified. Nettitude can assist with advice,
installation of technologies and support of PCI approved scanning tools to assist with this task.
For further information please speak to your Account Manager, or contact Nettitude direct using the details
below:
Nettitude Ltd, 1 Athena Court, Athena Drive, Tachbrook Park, Leamington Spa, CV34 6RT
: +44 (0) 870 3500075 : solutions@nettitude.com : www.nettitude.com