Body
Guidance for Merchant Representatives
The “Attestation of Scan Compliance” is a one page document from an approved scanning vendor (ASV) that ‘certifies’ the PCI External Scan was properly scoped to include the merchants ecommerce host(s)/site(s), all the necessary tests were preformed, and the host(s)/site(s) passed the PCI External Scan. The scan and attestation needs to be completed every 3 month (quarterly) for SAQ-A ecommerce sites to be compliant with PCI and Elavon’s requirements. The document will be 1 page document clearly titled “Attestation of Scan Compliance” and will probably be a PDF. The attestation must/will include the following sections or elements:
- Scan Customer Information (3rd party ecommerce package provider)
- Approved Scanning Vendor Information (Tenable or Qualys or ???.…)
- Scan Status (Pass and scan expiration date is 90 days from date scan completed)
- Scan Customer Attestation
- ASV Attestation
The “Attestation of Scan Compliance” will look similar to the example below.
Acquiring and uploading the “Attestation of Scan Compliance” is the responsibility of the merchant representative, the individual who has a login and can manage the MID in the https://pcicompliancemanager.com/. Each merchant representative is responsible for doing tasks like completing the business profile, affirming compliance, and/or uploading the scan attestation if needed.
For internal (university hosted) sites the merchant representative will follow the internal process to request the required scan and attestation from ITS. The forms to initiate a request are located in the PCI Service Offerings in the Team Dynamics (TDX) ticketing system https://nusupport.nebraska.edu/TDClient/33/Portal/Requests/ServiceDet?ID=157 Once received ITS would perform the scanning and provide the merchant representative with the “Attestation of Scan Compliance. Any questions about this process can be directed to the ITS Security Program Management team.
For outsourced ecommerce sites the merchant representative is responsible for acquiring the “Attestation of Scan Compliance” from their ecommerce provider. Possible language to use as a starting point when requesting “Attestation of Scan Compliance” from an external ecommerce service provider is below:
Subject: Request for ASV Attestation of Scan Compliance
Dear [Service Provider Name],
PCI DSS compliance requirements under SAQ-A section 11.3.2 requires external vulnerability scans must be performed at least quarterly by a PCI SSC Approved Scanning Vendor (ASV).
As you host our eCommerce site at [eCommerce_URL], we kindly request evidence that these required scans are being conducted. Please provide an ASV “Attestation of Scan Compliance” that covers our hosted environment and any related services.
You may respond to this message with the attestation attached, or alternatively provide a secure URL from which we can download the document.
Thank you for your prompt attention to this matter.
Best regards,
[Your Name]
Once the merchant representative has the “Attestation of Scan Compliance” in hand the attestation, provided by either ITS or their ecommerce provider, they can then upload the attestation to Elavon. The scan, attestation, and upload needs to be completed every 3 month (quarterly) for SAQ-A ecommerce sites to be compliant with PCI and Elavon’s requirements. Additional instructions on how to upload the attestation to Elavon are included below:
PCI ASV Attestation upload in https://pcicompliancemanager.com/
If you have multiple MIDS you will have to repeat this process for each MID needing a scan.
For the MID that needs a scan login to the https://pcicompliancemanager.com/ to manage the MID. Find the Be scan compliant box and select Manage
Select Upload results
Select file and upload the current ASV scan attestation file.
Enter the document date and scan date, they are the same date so find the “Date scan completed:” on the attestation and use that date for both. Also select ‘Tenable Inc.’ for the the ASV* Leave everything else as default or blank.
When done select upload and you should be done.