Specifications include, but are not limited to: Vendor shall provide Approved Scanning Vendor (ASV) services available to all State Agencies to conduct external vulnerability scanning in compliance with the current version of the PCI DSS Requirement 11.2.2. The ASV Vendor must be identified on the Payment Card Industry (PCI) Data Security Standards (DSS) ASV List and in good standing. If the Vendor is ever removed from the list or put on remediation status, it must inform the State immediately. The Vendor must adhere to professional and business ethics, perform its duties with objectivity, and limit sources of influence that might compromise its independent judgment in performing PCI scanning services. The ASV Company must possess information security/vulnerability scanning assessment experience similar to the PCI scanning services and have a dedicated security practice that includes staff with specific job functions that support the information security/vulnerability scanning practice. The Vendor at all times must have at least two (2) ASV employees performing or managing PCI scanning services and these employees must be qualified by the PCI Security Standards Council (SSC). The Vendor must maintain the privacy and confidentiality of the information it obtains while performing its duties and obligations as an ASV Company. The Vendor cannot be the State’s current Qualified Security Assessor (QSA). The Vendor shall perform monthly external scanning as follows: • Automatically scan the list of external domains for known vulnerabilities and configuration issues; • Provide an executive and technical compliance report; • Provide a detailed findings report that shall include, compliance status, prioritized vulnerabilities, policy weaknesses, and remediation recommendations; • Provide a secure web portal that allows the State to review its findings and obtain reports; o Ability for the State to download all detailed findings in a CSV or Excel spreadsheet format to use for internal remediation efforts. Individual findings shall be listed in its own row; and o Preferably, all DAS and staff designated by DAS, the ability to set-up and modify scan schedules and set-up, modify, and disable users.
