DocsSDKsAPI
Dashboard

Compliance

ASV Scans

Approved Scanning Vendor (ASV) scans identify security weaknesses and other flaws in public-facing systems. You need to submit a passing ASV scan every three months or 90 days depending on your compliance obligations under the PCI Data Security Standard (PCI DSS). Evervault recommends completing your scan well ahead of the deadline. Many customers submit monthly to enhance security and allow for early identification and resolution of any issues. You can run scans from the Evervault Dashboard, browse previous scans, and download scan results to share with external auditors.

Getting started

Open the ASV Scans tab in the Dashboard, and then:

  1. Click Get started.
  2. Fill out your company name, estimated IP count, and other details.
  3. Submit and wait for Evervault to contact you.

Add a target

Targets contain the IPv4 addresses (or range of addresses) and DNS names to scan. You can include multiple IP addresses and DNS names in a single target. To create a target:

  1. Click + New target on the ASV Scans page.
  2. Name the target.
  3. Add the IP addresses and DNS names to scan.
  4. Click Create target.

You can create as many targets as you need, and you can edit target names, descriptions, and hosts. Generally, any systems that store, processes, or transmit cardholder data (CHD), or any system that could impact the security of CHD, needs to be scanned. When using Evervault, that means scanning hosts that call the iframe that collects card information.

Run a scan

You can run scans by clicking + New scan. Scan times can take up to 2+ hours depending on the number of targets, hosts, and the external systems themselves. You can rerun scans after they finish, as well as skip queued and in-progress scans.

Evaluating and using results

Scan results are displayed in the Evervault Dashboard. Vulnerabilities are highlighted, and you can click any issue to view more information, fix recommendations, and request exceptions. Exceptions can take a few days to be approved and are carried over to future scans. When working through remediations, you can rerun scans as needed at no extra cost.

You can download scan results as a PDF or JSON. You can also download Attestation and Executive Summary reports. If you're working with a Qualified Security Assessor (QSA), these reports should include the information required for compliance with PCI DSS 4.0 requirement 11.3.2.1.

ASV scan webhooks

Similar to other Evervault events, you can configure webhooks for ASV scans. Scan times vary so you might want to set up Slack notifications or a webhook to notify your team when they finish. You can listen for when reports are created as well.