How to address the differing usage of the term “quarterly” by their ASV vendor and PCI DSS QSA.
Quarterly ASV Scans and Timing
In the compliance realm, the term “quarterly” seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, it’s meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QSA. Here are some guidelines around what you can do to prevent getting snagged in the potential mire of abiding by quarterly scanning requirements.
Quarterly, according to ASV program guidelines, is defined as achieving a passing scan at least once within a 90-day period. From all outward appearances this seems to be up-front, understandable task that can be easily achieved. This is especially so if an entity is following industry best practice by performing monthly ASV scans. The definition of quarterly begins to become problematic when an entity attempts to adhere strictly to ASV guidelines without also considering the PCI SSC’s intent of the term quarterly. Per [PCI SSC FAQ #1087] (https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/For-ASV-scans-what-is-meant-by-quarterly) the term “quarterly” is intended to mean “conducted as close to three months or 90 days apart as possible.”
Here is an example scenario:
An entity performs monthly ASV scans, conducts appropriate remediation, and files disputes against applicable findings as defined by their vulnerability management program. The entity achieves a passing ASV scan on January 20. The entity continues scanning monthly in accordance with their vulnerability management program regardless of having achieved a passing quarterly scan on January 20. But, because the entity had easily and early-on achieved a passing scan for Q1, they head into Q2 only loosely following their established vulnerability management program. They do not perform timely remediation and do not file disputes against applicable findings until eventually achieving a second passing ASV scan on June 20.
In this scenario, the entity has by definition achieved ASV compliance by producing two passing scans for two consecutive quarters, even though the two scans were more than 90 days apart (reference: ASV Guide 2.0). However, based upon the guidance presented in PCI SSC FAQ #1087 the entity may be non-compliant during their PCI DSS assessment due to the 5-month gap between passing ASV scans. The entity will be responsible for explaining and justifying the 5-month gap, providing documentation for potential failures in the entity’s vulnerability management program, and any potential failures in the entity’s security policies and procedures.
To steer clear of any potential snags along the road to PCI and ASV compliance, an entity should:
- maintain a monthly scanning schedule (for example, pick a set recurring date like the 2nd Friday of every month).
- adhere to documented vulnerability management process and procedures, review and analyze all scan results,
- perform vulnerability remediation as outlined in accordance with the PCI DSS, and
- file monthly disputes against any applicable findings.
ASV scans should be conducted not only with PCI DSS compliance in mind, but also with a focus on overall security and industry best practice.
To optimize the return on your scanning investments, as well as to better align your compliance program with corporate security goals, you should maintain scanning best practices that meet compliance requirements. This reduces the burden of needing special exceptions and explanations during assessment, and it upholds a better security posture for the systems and endpoints that require protection. If you’d like to understand more about our ASV or PCI compliance programs, or are concerned about your already existing compliance program, or have further inquiries as they relate to the term “quarterly”, please contact Coalfire for more information.