In order for an entity to attain PCI compliance, it needs to meet 12 Requirements set out in the PCI DSS (Payment Card Industry Data Security Standard).
One of these - 11.2.2 - requires an entity to "perform quarterly external network vulnerability scans through the Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC)."
These external scans, performed by the ASV, cover such things as an entity's network, website, IP address/es and devices. The role of the ASV is to highlight vulnerabilities that are present. It is left up to another Requirement - 6.1 - to result in the patching of these vulnerabilities (more on 6.1 later).
(Internal vulnerability scans - Requirement 11.2.1 - don't need to be performed by an ASV and can be done by a company that specialises in vulnerability scanning or, should you have one or more of them, qualified and independent staff within your business.)
While a Qualified Security Assessor (QSA) oversees the whole operation of meeting the 12 Requirements, an ASV can either be part of a QSA's business or separate to the QSA.
Becoming an ASV isn't a simple case of filling out a few forms and sending in an application. There are only a handful scattered around the world and they all have to meet stringent guidelines set out by the PCI SSC to be deemed worthy.
Requirement 6.1 was mentioned earlier, as it also centres around vulnerabilities. Unlike external and internal scans that highlight vulnerabilities, 6.1 requires an entity to "establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. "high," "medium," or "low") to newly discovered security vulnerabilities."
An ASV isn't needed to perform this. It can be done by a service that sources patches - CVEs - for any vulnerability found during a scan and informs the entity of the risk - severity - level of each.
One such service is SecAlerts, which acts as the 'middle-man' between software vendors and their clients. It saves valuable time and effort by matching vulnerabilities - CVEs - and zero-days to a company's software. SecAlerts might not be an ASV but it is a necessary part of PCI compliance.
