Dashboard

ASV Scans

Approved Scanning Vendor (ASV) scans identify security weaknesses and other flaws in public-facing systems. You need to submit a passing ASV scan every three months or 90 days depending on your compliance obligations under the PCI Data Security Standard (PCI DSS). Evervault recommends completing your scan well ahead of the deadline. Many customers submit monthly to enhance security and allow for early identification and resolution of any issues. You can run scans from the Evervault Dashboard, browse previous scans, and download scan results to share with external auditors.

Getting started

Open the ASV Scans tab in the Dashboard, and then:

  1. Click Get started.
  2. Fill out your company name, estimated IP count, and other details.
  3. Submit and wait for Evervault to contact you.

Add a target

Targets contain the IPv4 addresses (or range of addresses) and DNS names to scan. You can include multiple IP addresses and DNS names in a single target. To create a target:

  1. Click + New target on the ASV Scans page.
  2. Name the target.
  3. Add the IP addresses and DNS names to scan. 1Code has comments. Press enter to view.
  4. Click Create target.

You can create as many targets as you need, and you can edit target names, descriptions, and hosts.

Which hosts should be scanned?

Generally, any systems (such as firewalls, routers, and servers) that store, process, or transmit cardholder data (CHD), or any system that could impact the security of CHD, needs to be scanned. When using Evervault, that means scanning hosts that call the iframe that collects card information.

Run a scan

You can run scans by clicking + New scan. Scan times can take up to 2+ hours depending on the number of targets, hosts, and the external systems themselves. You can rerun scans after they finish, as well as skip queued and in-progress scans.

How often should scans be run?

While a passing ASV scan is only required every 90 days, Evervault recommends running scans monthly to enhance security and allow for early identification and resolution of any issues.

Evaluating and using results

Scan results are displayed in the Evervault Dashboard. Vulnerabilities are highlighted, and you can click any issue to view more information, fix recommendations, and request exceptions. Exceptions can take a few days to be approved and are carried over to future scans. When working through remediations, you can rerun scans as needed at no extra cost.

You can download scan results as a PDF or JSON. You can also download Attestation and Executive Summary reports. If you're working with a Qualified Security Assessor (QSA), these reports should include the information required for compliance with PCI DSS 4.0 requirement 11.3.2.1.

What happens if a scan fails?

If your scan fails, you need to remediate the high and medium severity issues that were identified. You can rerun scans as needed at no extra cost.

ASV scan webhooks

Similar to other Evervault events, you can configure webhooks for ASV scans. Scan times vary so you might want to set up Slack notifications or a webhook to notify your team when they finish. You can listen for when reports are created as well.

On this page