• Home
• Products & Services
• Processing Solutions
  • Overview
  • Retail Solutions
  • MOTO Solutions
  • B2B Solutions
  • eCommerce Solutions
  • Petroleum Solutions
  • Restaurant Solutions
• Partners
  • Financial Institutions
  • Associations
• PCI Compliance
  • PCI Compliance Made Easy
  • PCI for Merchants
  • PCI for Financial Institutions
  • Breach Protection Insurance
  • PCI FAQ's
  • Scanning FAQ's
• About Us
  • The BASYS Team
  • Our CEO
  • Our Background
  • Our Core Values
  • FAQ's
• Contact Us

 

Who establishes the scanning requirements?

The PCI Security Standards Council (PCI SSC) is an organization formed by American Express, Discover, JCB, MasterCard Worldwide and Visa, Inc. It manages the Approved Scanning Vendor (ASV) program and develops the scanning requirements.

 

What is an Approved Scanning Vendor (ASV)?

An Approved Scanning Vendor (ASV) is a company that has passed rigorous testing requirements set forth by the PCI Security Standards Council. Only Approved Scanning Vendors can fulfill requirement 11.2 (external vulnerability scanning on a quarterly basis) of the Payment Card Industry Data Security Standard (PCI DSS).

 

Where can I go to learn more about the PCI Approved Scanning Vendor (ASV) scanning requirements?

You can find more information on the PCI Security Standards Council's (PCI SSC) website http://www.pcisecuritystandardscouncil.org.

 

Why do I need a vulnerability scan?

Per PCI guidelines, if you have external-facing IP address(es) that are connected to your cardholder data environment, then you require a quarterly vulnerability scan by an Approved Scanning Vendor. Typically, these are merchants that complete Self Assessment Questionnaire (SAQ) C or D.

 

How does your scanning service help protect me?

Scanning is designed to find threats and configurations that may cause your environment to be vulnerable to external attacks. Any threats identified are also accessible to those with malicious intent. Scanning provides you with as much information as possible to secure yourself against potential breaches or loss of data.

 

Should I white list your scanner IP addresses to ensure the scan will not get blocked?

You should white list the IP address range above or add the range to an allowed list to prevent our scan from being interrupted or blocked. Per the ASV Program Guide, any scan that has been blocked or filtered must automatically fail as "inconclusive" and will not provide you with thorough and accurate results for your environment.

 

How does scanning relate to my Self Assessment Questionnaire (SAQ)?

Scanning is typically required for any merchant that has external-facing IP address(es) connected to their cardholder data environment. Typically, these are merchants that complete Self Assessment Questionnaire (SAQ) C or D.

 

Who is responsible for determining the scope of my quarterly scan?

It is ultimately up to you to confirm the scope of your cardholder data environment for PCI compliance. BASYS PCI Compliance Support can provide guidance, and an ASV is responsible for reporting any scoping discrepancies between the information you provide and the information found in your environment.

 

What do I scan?

You should scan any component that touches your cardholder data environment. Specifically, the ASV Program Guide states: In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:

• Domains for all Web-servers

• Domains for mail servers

• Domains used in name-based virtual hosting

• Web-server URLs to "hidden" directories that cannot be reached by crawling the website from the homepage

What does the scan do?

The scan first examines the targets you have specified for ports that are open to Internet traffic. It then looks within open ports for evidence of vulnerable applications and configurations within your environment. Examples include: outdated versions of software, Web applications that are not securely coded or misconfigured networks.

 

What is a threat (a.k.a. vulnerability)?

A threat, or vulnerability, is an identified security issue within your environment that is encountered during the scanning process. A threat can be "confirmed" (there is clear evidence that it exists) or "inferred" (patterns suggest that a problem may exist, but it cannot be determined with certainty).

 

What criteria are used to determine if my scan report is passing or failing?

Threats identified are scored using a standard Common Vulnerability Scoring System (CVSS) numeric rating - a global standard for reporting threat risk levels. The standard is based on a 0 through 10 scale, and any threat that has a CVSS base score of 4.0 or higher will fail. These scores are translated into a "risk rating" within the report ranging from 0 to 5, such that failing threats have a risk rating of 3 or higher.

 

What is the difference between a "compliant" and "passing" scan status?

A passing scan status represents a completed scan without any failing vulnerabilities (those with a risk rating of 3 or higher). A compliant scan is a passing scan that has been attested to by both the merchant and the ASV. To remain in compliance with the PCI scanning requirement, a compliant scan must be achieved on a quarterly basis.

 

Does the scan report contain guidance on how to resolve vulnerability findings?

The scan report will provide suggested remediation guidance for vulnerabilities that are listed with a risk rating of 3 or higher.

 

Will BASYS help me fix the vulnerabilities?

No, BASYS Support will provide guidance to the best of its ability, but cannot perform the remediation tasks.

 

What is a false positive?

A false positive is a threat flagged during the scan as a potential security risk that you subsequently disprove. When you dispute such threats, they are marked as false positives in the scan results.

 

What do I do if there is information in the scan results that I want to dispute?

If you wish to dispute a finding that caused your scan to fail, you may make an "ignore threat" or "dispute" request. Disputes should be stated concisely, and supporting evidence must be provided.

 

Will the scan affect my Website or POS system?

The scan is designed to be non-intrusive and should not disrupt a Website or POS system. Please contact BASYS Support if you believe the scan is impacting your site or systems.

 

What is an IP?

An Internet Protocol (or IP address) is a numerical label that is assigned to devices in a network (like the Internet) so that they can be identified and communicated with.

 

What is a domain?

A domain is a collection of related Web pages, images, videos or other digital pieces that can be addressed using a URL. An example of a URL is www.basyspro.com

 

How does an IP address relate to a domain?

The domain name (or "www" URL) corresponds to a specific IP address. The advantage of a domain name is that it is always the same - even if the IP address it points to is dynamic and keeps changing.

 

What is the difference between a static and dynamic IP address?

A static IP address stays permanently assigned to the same computer or device, while a dynamic IP address changes periodically. The type of IP address you have depends on the type of service you have with your Internet Service Provider (ISP). Most IP addresses are dynamic - the number of addresses available is limited and ISPs charge more for a static IP address.

 

How do I find out if my IP address is static or dynamic?

If unsure about whether your IP address is static or dynamic, it is best to contact your Internet Service Provider, and they can inform you of the nature of the connection.

 

What do I do after I achieve a compliant quarterly scan? 

Once you achieve a compliant scan, verify that there is a compliant SAQ on file for your account so that you can achieve full PCI Compliance for the quarter. You will also need to attest to your scan results following each passing scan.

 

Why do I need to attest to a passing scan results?

The Payment Card Industry has mandated that each merchant must confirm and validate the scan was run on their network. The whole attestation process can be as simple as signing your name.

 

Why is there a Special Note in my attestation?

A special note will be included in your attestation if a condition has been encountered that could represent a security risk. It is not sufficient to prevent compliance, but warrants your attention.

 

How long does a scan take?

The length of your scan depends on a number of factors, including the number of probes that are concurrently assessing your target, the number of ports open to Internet traffic, and the breadth and depth of your site. An average scan takes approximately 1-6 hours.

 

What does Load Balancer mean?

A load balancer is used in environments where two or more servers are performing the same function (e.g. serving pages for a Website). Load balancers direct traffic among the multiple servers so that each one is working at the same level.

 

What are hidden directories?

Hidden directories can only be accessed by entering their address directly into the browser address bar and cannot be directly accessed by clicking any link(s) on the Website.

 

How do I add additional domains/IP addresses to my scan scope?

If additional domains/IP addresses need to be scanned, contact BASYS support so they can add those addresses to your account.

 

Can I modify the scan settings?

The only setting that can be modified is the scan speed.

 

What are the steps needed to achieve a compliant quarterly scan?

To achieve a compliant quarterly scan, a passing scan must be achieved (e.g. a scan with no failing threats of risk rating 3, 4, or 5). Next, you must attest to the scan, and then the ASV must attest to the scan.

 

What happens once my scan is complete?

Once your scan is complete, an email will be sent to the address you provided during the scan set up process.

 

Can I change the frequency of my scans?

If you have specified a domain/Website and/or static IP address as a target, your scan will be set up with the frequency originally specified by you or your ISO/Acquiring Bank. If you wish to change the frequency with which scans are run, please contact BASYS Support. If you have a dynamic IP address, scans must be set up with a frequency of "run once," as the address must be updated each time a scan is run to ensure that it is accurate and current.

 

What do I do if my scan results contain failing vulnerabilities?

If your scan results contain failing vulnerabilities, you will need to either remediate (fix) them, or dispute them as false positives.

 

How do I dispute a vulnerability?

To dispute a vulnerability as a false positive, click on the vulnerability page icon within the "Scan Details" area. Please be prepared to provide supporting evidence (e.g. screenshot, log file, etc.) that substantiates your request.

 

If you approve a dispute (false positive) request, will it show up on my next scan?

If you have a compliant scan before a rescan occurs, approved disputes will not display for 90 days. However, if you rescan before you have a compliant scan, and your evidence is still valid, you will need to reapply prior evidence.

 

Who can I contact to help answer scanning questions?

You can contact a BASYS Compliance Specialist with any questions you may have regarding scanning. They can be reached at 800-386-0711.

Call Us: 800-386-0711

8450 Nieman Road, Lenexa, KS 66214

Fax: 913-888-5522

Email: info@BasysPro.com

Home | Products & Services | Partners | About Us | Contact Us

Copyright © 2012 BASYS Processing, Inc. All Rights Reserved.