1

Our company is going for a SAQ, under PCI DSS 3.1.

Do we need to pay a vendor to come out and do an on site scan, or can we use something like Nessus to do the scan on our own?

Patrick S
  • 23
  • 4

3 Answers3

2

Only the external scan requires an ASV:

PCI 3.1 states:

11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

It is only on internal scans where you can run a tool such as Nessus (em mine):

11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.

verify that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV)

The external test does not require anyone "coming out". You can simply use an automated service such as Hacker Guardian which will satisfy the scan being done by an ASV.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
0

To quote PCI DSS 3.1 section 11.2:

There are three types of vulnerability scanning required for PCI DSS:

  • Internal quarterly vulnerability scanning by qualified personnel (use of a PCI SSC Approved Scanning Vendor (ASV) is not required)
  • External quarterly vulnerability scanning, which must be performed by an ASV
  • Internal and external scanning as needed after significant changes

So you need an ASV for your external scans, but you can do it yourself for internal scans. If you are audited by a QSA, instead of filling out the SAQ yourself, expect that they will ask for evidence that the person performing the scans is qualified - you can't have Bob in Accounting do it unless he's got something on his resume that indicates he knows something about Security.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
0

Depends on what kind of scan you're looking at. Since you've mentioned that your company is doing an SAQ (https://www.hackerguardian.com/pci-saq.html), I'm guessing it's going to be an internal audit. Like SilverlightFox and gowenfawr have suggested, doing it internally just requires an in-house expert to ensure things are PCI compliant.

A company I worked for few years ago used HackerGuardian (https://www.hackerguardian.com/) to fill the external scanning requirement instead of hiring a third-party ASV.

Chris
  • 1