Specifications include, but are not limited to: Vendor shall provide Approved Scanning Vendor (ASV) services available to all State Agencies to conduct
external vulnerability scanning in compliance with the current version of the PCI DSS Requirement 11.2.2.
The ASV Vendor must identified on the Payment Card Industry (PCI) Data Security Standards (DSS) ASV List and in
good standing. If the Vendor is ever removed from the list or put on remediation status, it must inform the State
The Vendor must adhere to professional and business ethics, perform its duties with objectivity, and limit sources
of influence that might compromise its independent judgment in performing PCI scanning services.
The ASV Company must possess information security/vulnerability scanning assessment experience similar to the
PCI scanning services and have a dedicated security practice that includes staff with specific job functions that
support the information security/vulnerability scanning practice.
The Vendor at all times must have at least two (2) ASV employees performing or managing PCI scanning services
and these employees must be qualified by the PCI Security Standards Council (SSC).
The Vendor must maintain the privacy and confidentiality of the information it obtains in the course of performing
its duties and obligations as an ASV Company.
The Vendor cannot be the State’s current Qualified Security Assessor (QSA).
The Vendor shall perform monthly external scanning as follows:
• Automatically scan the list of external IP addresses and/or domains for known vulnerabilities and
• Provide an executive and technical compliance report;
• Provide a detailed findings report that shall include, compliance status, prioritized vulnerabilities, policy
weaknesses, and remediation recommendations;
• Provide a secure web portal that allows each agency to review its findings and reports as well as
consolidate all agency scans at a State level;
• Ability for the State to download all detailed findings in a CSV or Excel spreadsheet format to use for
internal remediation efforts. Individual findings shall be listed in its own row; and
• All DAS and staff designated by DAS, the ability to set-up and modify scan schedules and set-up, modify,
and disable users.