Approved Scanning Vendor (ASV)™ Qualification
The Approved Scanning Vendor (ASV)™ training program, for staff and security personnel of Approved Scanning Vendor companies, is comprised of an in-depth eight-hour online course and exam covering the Payment Card Industry, Payment Card Industry Data Security Standards requirements and scan testing procedures. With the knowledge gained in this training, staff will be better equipped to serve their customers in ensuring the quality of scan outputs and providing reports that are complete and accurate.
Upon completing this course, you’ll be able to perform external vulnerability scans, submit the appropriate scan report, and maintain internal quality assurance for scanning efforts.
Right for you if…
You are employed by an Approved Scanning Vendor company, and assess and validate scanning requirements for PCI DSS compliance. Typical applicants include Information Security Analysts, Specialists, Consultants, Advisors, or Engineers.
“The ASV training course was very useful, especially the study of SCORE CVSS vectors and their direct involvement with PCI DSS.”
“Information related to the approach and scope was most useful – plus the case studies were very good and helped develop practical insight.”
This eight-hour online eLearning training program offers:
- PCI DSS Program Overview
Outlines the PCI DSS lifecycle and the 12 requirements of PCI DSS.
- Payment Industry Terminology and Relationships
Provides an overview of the payment industry terminology, key service provider relationships and the transaction flows associated with various payment industry processes.
- Compliance Validation, Requirements and Process
Outlines merchant and service provider levels, and validation and reporting requirements for merchant levels and service providers by payment brands.
- Roles and Responsibilities, ASV Overview and Quality Assurance
Discusses roles and responsibilities, and covers aspects of external vulnerability scanning, such as overview of the scan process, scoping an ASV scan, the ASV scan solution, scan reporting, and quality assurance.
- General Requirements for Scanning
Reviews contracting, scope for ASV scans, procedures for scan customers and ASVs, and the characteristics of scan solutions.
- Scan Reporting
Examines scan report contents, reading and interpreting reports, vulnerability reporting, and the Common Vulnerability Scoring System or CVSS.
- Scanning Vendor Testing and Approval Process
Details the testing and approval process for ASV companies.
Prior to the training class, you should familiarize yourself with these publications on the PCI website:
- Glosario de PCI
- PCI DSS
- PCI DSS Validation Requirements for Approved Scanning Vendors
- PCI Approved Scanning Vendors Program Guide
Training and Exam
The online course is a self-paced five (5) hour course. Following the completion of the course, trainees will take a 60 question multiple choice exam.
If a passing score is achieved a certificate will be provided which is valid for 12 months from the exam date. If a passing score is not achieved, an additional attempt is available following payment of a re-take fee. The primary contact at the ASV company is notified of the exam results.
Five (5) Continuing Professional Education (CPE) hours are granted for completion of the course.
Course: New ASV Professional
Price: $1095 USD
Please note: Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer.
Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English.
PCI SSC currently qualifies only individuals who work for qualified ASV Companies. Candidates must be a full-time employee of an ASV Company in order to register for ASV Training and qualify as an ASV Employee. All training inquiries and assignments must be submitted through the ASV Company’s primary contact.
Please see the Qualification Requirements for Approved Scanning Vendors v2.1, December 2013 for more details.
Applicants supply a resume reflecting these minimum requirements:
- Possess a minimum of three (3) years of information security experience as follows:
- A minimum of one (1) year in vulnerability scanning and/or penetration testing;
- At least two (2) years in any two of the following areas of expertise, with a minimum of one year in each discipline: Network security, Application security, System security, IT security auditing, IT security risk assessment
- Possess ONE of the following:
- A current industry-recognized security certification: CISA, CISM, CISSP
- An additional two (2) years experience in at least two of the following areas of expertise, with a minimum of one year in each discipline: Network security,Application security, System security, IT security auditing, IT security risk assessment
Requalification is required annually via eLearning training and examination.
- All training inquiries and assignments must be submitted through the ASV company's primary contact.
- PCI SSC requires all training attendees to be full time employees of a Validated ASV company.
- Proof of information systems assessment training within the last 12 months to support professional certifications (even if the employee does not have professional certifications), of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 Continuing Professional Education (CPE) hours over the rolling three year period.
- Training provided by PCI SSC will count towards the annual CPE hours.
- Click here for information on activities that qualify for CPE Hours.
- Registration must be completed by your expiration date. Any professional who is not registered in the requalification course prior to their expiry date, or who does not achieve a passing score on the exam by the end of the two week grace period, will be required to re-enroll as a new candidate.
Request More Information