The Cunning Art of ASV Manipulation!
Well, maybe manipulation is a bit of a strong word, but the reason for this title is due to the increasing number of requests we get as QSAs to help out smaller, level 4 merchants, whom have been instructed by the likes of Worldpay, RBS Worldpay (aka Streamline), Barclaycard Business, HSBC or PayPal, to go off and get an ASV Scan before access is granted to use their Payment APIs.
More often than not, the payment provider directs the merchant to a QSA for further assistance, should they have any queries. As 2-sec is the top of the QSA list (by alphabetical order, not saying we’re best or anything), then guess what?
The advice we give:
1) A merchant will most likely need an ASV Scan, not a QSA, to issue a certificate that you can present to your payment provider and get setup to use their API.
2) ASV companies vary in quality. For most intents and purposes, merchants can get a free scan from most vendors.
3) After free scans have expired, merchants can sign-up with a subscription. You get what you pay for.
4) Merchants may or may not need to present any further ASV Scans to the provider, after all, using a hosted payment page, merchants would most likely be completing SAQ-A, which doesn’t require any ongoing ASV Scans.
What we find odd, is that a passing ASV certificate alone seems to be enough to get merchants boarded, whether or not merchants know what a hosted payment page actually is. We find a few variants. Some merchants have their own web form, that takes and transmits payments to the payment provider’s web form (via HTTP POST). Some merchants will accept card numbers by email, and submit them via HTTP POST. Some by telephone, mail order and so forth. The only validation that seems to be required, is an ASV scan.
Supposedly, all ASV companies are supposed to be the same, and offer consistent advice and approach. The PCI SSC do set an assault course to ensure the ASV can pick up a number of common vulnerabilities on one of their test systems, but the subsequent reporting and handling of false positives can vary immensely. To pass the ASV assault course, guess what? The ASV enables every known vulnerability check under the sun, to ensure they pass first time (otherwise, I think it’s $10,000 for a re-test).
So anyone whom runs an ASV scan will probably pick up something, that requires patching/reconfiguration and away they go. Not a bad thing, but much of this patching doesn’t actually improve things and much patching of false positives is going on.
So a quick look round to see who is doing what:
SecurityMetrics – well, I get a 404 Not Found from the Enroll link on their home page, but this was quite a popular option for Merchants as they had been advised to use it by some of the larger banks. Cost I think was around $95 per year, but if you can’t even buy it (sort your web page out guys), then next. The Burger King of the PCI World (but closed on Saturdays, it seems).
Commodo HackerGuardian – 30 day trial option, and from £165 per year, keenly priced. Interface is a bit clunky. A big worry is that it has been known to miss things. The Kentucky Fried Chicken of the PCI World (chicken heads and fried mice are known to appear in their buckets).
Trustwave – well, apparently they are an ASV, but there is no clear indication on their website as to how to buy their service online. In this day and age, small businesses don’t really want to “explore how Trustwave can help them”. For something that’s probably less than £200, they just want to buy it and move on. The McDonald’s of the PCI World (mass produced, but very consistent quality, if you want extra ketchup with your Big Mac, they’ll knock down a rainforest and build a brand new store for you (and bill you for it)).
QualysGuard PCI Compliance – 14 day free trial. Simple sign-up. Works. From $395 per year, includes PCI questionnaires and self assessment options. If you want something that you don’t have to worry about and know works properly, then highly recommended. Qualys only provide vulnerability and compliance management solutions – they don’t digress into other fields and offer a high quality, reliable and accurate service. I was about to coin the name of a fast food chain, but this is more the Hilton Club Sandwich. Not cheap, but consistent, always performs and tastes OK too.