ASV Role

Every day, experts discover new vulnerabilities which may be used by attackers for illegal operations. System components, processes and personalised software need to be assessed frequently to ensure that security controls are in line with the new developments.

Therefore, Companies processing payment card data must assess their systems periodically according to the PCI DSS specifications and the assessments must be conducted by specific Approved Scanning Vendors (AVSs), the only firms whose results are guaranteed, recognised and accepted by the PCI SSC. This is where eMaze comes into play, one of the few Italian firms which has been qualified as ASV.

Periodic assessments consist of a vulnerability scan conducted on internal and external servers and network devices to detect unknown vulnerabilities which might be exploited by unauthorised users. The ASV performs the assessments according to the operational methods and procedures defined by the PCI DSS standard and periodically certifies that the Customer’s network is free from critical vulnerabilities.

The severity of the vulnerability is measured in detail according to the directions of the international CVSS standard. If a vulnerability’s CVSS score is greater or equal to 4.0, the vulnerability is dangerous and the system cannot be certified. If a dangerous vulnerability is detected, the Customer, after handling it, must ask the ASV for a new scan to verify that the problem is solved. According to the ASV procedures, the Customer may dispute the findings of the ASV scans. The ASV issues the certification of compliance with the PCI DSS standard when the to-be-certified Company’s Internet systems are free from critical vulnerabilities, except for potentials false positives or other ASV verified and validated exceptions.