PCI DSS v2 11.2.2 asks for a quarterly scan of external systems by an Approved Scanning Vendor (ASV). Is Rapid7 / Nexpose product considered under the umbrella of an ASV?
Rapid7 *IS* an ASV and has been for a number of years. So you could contract us to provide your ASV service to cover 11.2.2
Nexpose is not an ASV as software cannot be certified as an ASV on its own. (Its the company running the software that is certified.)
Yes, Rapid7 is a PCI-certified ASV. Refer to our website (PCI Security For Retailers, Achieve PCI Compliance | Rapid7) for more information on how you can leverage our services for quarterly PCI scanning and associated reports.
More to the point, can I use Nexpose, a product sold by an ASV, and thus be covered under 11.2.2?
Rapid7 the company is certified by the PCI SSC as an ASV because we meet/exceed two sets of guidelines:
As you can see it would be impossible for any piece of software to meet all these requirements on its own without human intervention and oversight.
Since 11.2.2.c states "Review the scan reports to verify that the scans were completed by an Approved Scanning Vendor (ASV), approved by the PCI SSC." it means that (unless you have been officially approved by the PCI SSC as an ASV and have been issued an ASV Certificate Number) you cannot conduct your own scanning regardless of who provides the software. And even if you were an ASV I would be really interested to see if the Standards Council considers scanning yourself for 11.2.2 would be considered a conflict of interest.
This means in order to fulfill 11.2.2 you would have to contract an ASV to do your scanning and quarterly certification for you. (Regardless if that is Rapid7, one of our ASV partners, or one of our ASV competitors.)
Hello everyone. I understand that this is an old thread. However, I am eager to know if the latest updates on NeXpose Enterprise is currently in accordance to PCI ASV Program Guide v3.0 which was released early this year on February 2017. I do understand that NeXpose complies to the PCI DSS v3.2 compliance, however, being inline with the PCI ASV Program Guide v3.0 is important to ensure that all test cases are covered by NeXpose's PCI ASV External/Internal Audit.
Would appreciate it greatly if someone could shine some light on my question on whether or not NeXpose is currently in accordance to PCI ASV Program Guide v3.0 requirements.
Thank you very much.
In a word, yes. (Naturally an ASV company would have to run the scan)
Retrieving data ...