Why ASV Whitelisting is Both Normal and Essential for a Successful PCI Vulnerability Scan

October 30, 2017 • Published Categories PCI 101Tags ,
Is ASV whitelisting “cheating”?

“Why am I being asked to whitelist ControlScan’s IP address as part of your ASV service? Doesn’t bypassing my IPS defeat the purpose of a PCI vulnerability scan?”

ASV whitelisting is one of the most common questions our Vulnerability Management team receives, so let’s dive into the answer!

How does a PCI external vulnerability scan work?

It’s important to begin by understanding the purpose and mechanics of the PCI external vulnerability scan. External vulnerability scans involve an automated probe of your IT infrastructure through its connection to the Internet. The scan’s results provide an overview of your current environment (network or website) and any security gaps that may be present.

Is ASV whitelisting “cheating”?

Quarterly PCI external vulnerability scans are prescribed by the Payment Card Industry Security Standards Council (PCI SSC). As a PCI-Approved Scanning Vendor, ControlScan follows the guidelines set forth in the ASV Program Guide, which is also supplied by the PCI SSC.

The ultimate goal is to gather a comprehensive assessment of your IT environment’s vulnerabilities through its exposure to the Internet. In order to get this full picture, nothing can interfere with the scan’s ability to access the target systems within your IT environment.

Section 5.6 of the Program Guide addresses “ASV Scan Interference”:

  • “Such systems may react differently to an automated scanning solution than they would react to a targeted hacker attack, which could cause inaccuracies in the scan report.”
  • “If the ASV scan cannot detect vulnerabilities on Internet-facing systems because the ASV scan is blocked by an active protection system, those vulnerabilities will remain uncorrected and may be exploited by an attacker whose attack patterns don’t trigger the active protection mechanism.”

Essentially, what we are saying is that we do not want you to turn off your active security measures. Keep them in place but whitelist or allow ControlScan, as the ASV, to perform an external vulnerability scan without those active measures blocking our traffic in particular.

We want your security infrastructure to do its job, while we perform ours in partnership with you.

Here are some great links for further reading on this topic:

Also see my post on the ControlScan blog, sharing the exciting news that ControlScan has successfully passed its ASV revalidation for five years running!