The PCI Security Standards Council's (PCI-SSC) recently published March Assessor Newsletter, which contains rather "interesting" language for certain Approved Scanning Vendors (ASV). It is unclear what the penalty will be for firms who continue their misleading practices. For those curious, WhiteHat Security was once an ASV, but has not been for over a year -- largely because we already understood the following requirements. We actually do focus on 6.6 to the spirit in which its supposed to be applied, while the others pay lip service and take customers for a ride.
ASV: I'm a lawyer so let me be your heart surgeon
Several ASVs have received notices recently surrounding the marketing of services they sell related to being qualified by the Council. While the PCI SSC does qualify each and every ASV to conduct external vulnerability scans to meet the external scan validation requirement for PCI DSS 11.2, it does not give any ASV license to sell their services for other security practices as an agent of the PCI Council.
Here are two examples that are unacceptable and violate the ASVs contract:
1. "As an ASV, our company has been certified by the PCI Council for you to achieve both Requirement 11.2 for vulnerability scanning and Requirement 6.6
There are two issues with the above statement. First, and this is a common mistake, ASVs do not help merchants fully achieve DSS Requirement 11.2. The requirement requires both internal vulnerability scanning and external vulnerability scanning. The Council only qualifies ASVs to perform the second half of that statement. Although an ASV can separately offer internal vulnerability scanning services, internal vulnerability scanning is a) not required to be done by an ASV and b) is not part of the ASV qualification process by the Council. We clarified this with a note in the 1.2 release of the PCI DSS and possibly further clarity to come October 2010. The second and more egregious is related to using a conjunction (YouTube "School House Rock" if you need a refresher on the function of a conjunction) to include another service completely unrelated to anything that has been validated by the PCI Council. In this case, there is no program to validate those who review adherence with Requirement 6.6 and the ASV lab testing is not an exhaustive process to endorse any solution as an exhaustive annual evaluation of the web application security. for application scanning."