Who-What are ASV?

ASV or PCI ASV, is a common short form that we get to hear in the Payment Card Industry arena.  ASV’s are nothing but Approved Scanning Vendors, certified by the PCI Security Standards Council to check on the specific DSS requirements laid out by the PCI DSS for performing vulnerability scans of Internet facing domains of merchants and service providers who deal in the cardholder data.

Scanning helps in discovering the vulnerabilities. Vulnerabilities can be defined as a flaws or weakness in the system security procedures, design, implementation, or internal controls that can happen accidentally or intentionally and hence results in a security breach or an invasion of the system’s security policy. The other aspect where scanning helps is, it exposes the misconfigurations of web sites, applications, and information technology (IT) infrastructures with Internet-facing internet protocol (IP) addresses. An ASV cannot disturb the customer environment either technically or operationally. All the scans should be done without penetrating or altering the customer environment.

What does an ASV do?

In order to appreciate how the ASV works we will have to dig in the Computer networks. As we all know, network is how resources and information are shared through either a collection of computer or hardware components. To put it more simply, sending and receiving data is done by communications codes which includes Ethernet, a hardware and link layer standard that is omnipresent in local area networks (LAN), and the TCP/IP, which defines a set of protocols for internetworking. For example by using networks we are able send emails, or instant messages, chat, video telephone calls, and video conferencing. That’s the communication aspect and then you have sharing of files and data’s for e.g. downloading of music. In the whole setup of Internet we must first understand the basic of computer network which is the OSI Model or Open Systems Interconnection (OSI) mode and how an ASV scans every layer.

An OSI has seven layers of computer networking. At the very onset it has a physical layer, where Ethernet plays a predominant role. This layer defines electrical and physical specifications of devices. The prime example of it would be a WiFi, cables or adapters etc. As the use of WLANs introduces data security risks which need to be identified and mitigated, the ASV have to scan wireless access points in wireless LANs (WLANs). The second layer which is the Data link layer is a procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the physical layer. For example modem, hub, bridge or switch; or a data terminal equipment (DTE) such as a digital telephone handset, a printer or a host computer, a router, a workstation or a server. These two layers are the land based layers. Then there is network layer which is layer 3. Network layer uses specialized hosts, called gateways or routers to forward packets between networks. In general terms this layer introduces the addresses which are known as Internet Protocol (IP) addresses. The fourth Layer which is the transport layer ensures that messages are delivered error free, in sequence, with no loss or duplications through ports for instance message segmentation, message acknowledgement, session multiplexing etc.  Examples of Common Transport Layer Ports are HHTP, DNS, POP3. In-between these layers of networking the ASV’s scan all filtering devices such as firewalls or external routers which are used to filter traffic. The ASV must scan Domain Name Servers (DNSs). DNS servers are there to resolve Internet addresses by translating domain names into IP addresses. Merchants or service providers may use their own DNS server or may use a DNS service provided by their Internet Service Provider (ISP). If DNS servers are vulnerable, hackers can spoof a merchant or service provider web page and collect credit card information.

The layer 5, session layer establishes, manages and terminates connections between applications at each end. They are particularly used for multimedia applications for example video conferencing and streaming. The Presentation Layer which is the sixth in the OSI model transfers the data between applications. The rest first five layers provide a communication service but do not address the meaning (semantics) or structure (syntax) of the communication. The Presentation Layer provides syntax for information exchange. This is the layer where the encryption/decryption of data comes into play. The perfect example would be, when logging off bank account sites the presentation layer will decrypt the data as it is received. The Application layer which is the seventh layer is responsible for identifying that there is a web server answering on port 80 in order for HTTP communication to happen. Basically the application layer identifies and determines the availability of communication partners for an application with data to transmit. For example, when cardholders share account numbers with merchants or service providers, the application server provides the functionality to transport data in and out of the secured network. The hackers are then able to exploit vulnerabilities in these servers and their scripts to get access to internal databases that possibly hold credit card data.  Some web site configurations do not include application servers; the web server itself is configured to act as an application server.

If a firewall or router is used to establish a demilitarized zone-DMZ, it adds an additional layer of security to an organization’s local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. DMZ configuration typically provides security from external attacks popular e.g would be web servers, mail servers, FTP servers, VoIP servers. The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail. All these devices must be scanned for vulnerabilities. Web servers are another important aspect that an ASV needs to scan. Web servers’ prime function is to allow Internet users to view web pages and connect with web merchants. These servers are fully accessible from the public Internet, hence it becomes pertinent to scan for vulnerabilities.  The ASV must scan Virtual Hosts it is a standard practice when using a shared hosting environment that a single server will host more than one web site. Here, the merchant shares the server with the hosting company’s other customers. This could lead to the merchant’s web site being exploited through other web sites on the host’s server.

Above mentioned are just an outline as to why a quarterly scans are required in accordance with PCI DSS Requirement for merchants & service providers dealing in card holder data.