An approved scanning vendor (ASV) is a company authorized to perform external vulnerability scanning of internet-facing systems in scope for PCI DSS compliance. All ASVs must be qualified and approved by the PCI Security Standards Council (PCI SSC) to conduct this scanning role.

Companies in scope for PCI DSS compliance must have scans performed by approved ASVs. Non-approved scanning vendors do not satisfy compliance requirements and cannot be used to verify the security of a company’s internet-facing systems. Businesses can only meet PCI compliance standards by working with a qualified ASV.

PCI Security Standards Council and PCI Approved Scanning Vendor List

The PCI SSC owns and manages the ASV program. The SSC is responsible for designing the qualification framework, setting the technical and operational standards for ASVs, testing and approving candidates, and maintaining oversight of approved ASVs.

The PCI SSC defines the rules for the ASV program in a formal document titled the ASV Program Guide. The guide specifies the following requirements for acceptance into the ASV program:

  • What an ASV must be able to scan and the vulnerabilities it must detect;
  • The technical capabilities that are necessary for the ASV’s scanning solution;
  • The way ASVs must conduct vulnerability scans and interact with merchants;
  • How to handle disputes between ASVs and customers;
  • The business and ethical standards ASVs must meet;
  • The content and format requirements of scan reports and attestations.

Businesses can find an ASV on the PCI SSC’s ASV list. The list includes the ASV’s company name, place of business, the regions it serves, and email contact information.

ASV approval does not grant permanent status to the vendor. ASV status is a credential that must be earned and renewed each year. The annual requalification serves the following purposes.

  • The process ensures that the ASV’s scanning solution is adequate for handling the evolving threat landscape.
  • Requalification ensures that ASVs are tested against SSC’s current security testing procedures.
  • The SSC reassesses the ASV organization as a whole, not just its testing procedures.
  • Annual renewal maintains the integrity of the ASV program.

How ASV Scans Support PCI DSS Compliance

PCI DSS Requirement 11.3.2 states that organizations must perform external vulnerability scans at least every three months and after any change to internet-facing systems. A PCI SSC-approved scanning vendor must perform the scans to ensure the systems are hardened to withstand public attacks. The PCI Security Standards Council requires that scans be conducted by a certified ASV at least once every three months.

In addition to the scheduled quarterly scans, companies must scan all affected components when changes are made to internet-facing systems. These changes may include adding servers, upgrading network components, and modifying firewall rules.

ASV scans play a role in PCI compliance for smaller companies that perform a Self-Assessment Questionnaire (SAQ), as well as larger organizations, whose merchant level requires a full Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA). The data contained in the scan are essential elements of SAQs and ROCs.

Approved Scanning Vendor ASV Qualifications and ASV Company Requirements

Prospective ASVs must first be a recognized legal entity and be authorized to conduct business, then complete the registration process with the PCI Security Standards Council qualifications by having to register, submit an attestation of compliance, and provide the following documentation across multiple categories:

  • Corporate and business documentation, including incorporation and insurance certificates, as well as administrative information and technical details submitted during registration;
  • Documentation that demonstrates the veracity of their technical scanning solution;
  • Operational policies related to scanning procedures, report templates, and dispute resolution;
  • Data security and privacy policies regarding access control, encryption, and incident response;
  • Legal and contractual documents, such as customer agreement templates and signed PCI SSC compliance attestations;
  • Personnel qualifications, including staff credentials, training procedures, background checks, and at least two full-time employees validated to perform scanning services with relevant industry experience;
  • Updated policies and solutions to support ongoing requalification.

Prospective and requalifying ASV candidates can submit scanning solutions for evaluation through remote testing against the PCI SSC’s test environment. The test infrastructure is designed to provide a controlled and repeatable method of evaluating ASV scanning solutions. The testing environment is constructed to meet the following requirements.

  • Simulate a company’s vulnerable systems.
  • Provide a consistent evaluation baseline.
  • Evaluate the accuracy of detection and classification procedures.
  • Validate that the report output meets PCI SSC format requirements.

ASV Scan Process and ASV Scans

The ASV scanning process comprises several steps designed to identify and remediate vulnerabilities that affect the security of in-scope PCI DSS environments. Customers should expect a verified ASV to perform the following activities when conducting external vulnerability scans.

Identify all in-scope external assets.

The initial step is to identify the internet-facing assets that must be scanned. Scan customers need to determine the scan scope across the organization’s network and internet-facing assets to avoid security and compliance gaps. Potential in-scope assets, including systems that are part of the cardholder data environment, include:

  • Customer-facing websites;
  • Public IP addresses;
  • Payment portals;
  • Cloud resources;
  • Remotely accessible servers and infrastructure.

Disputes about scope, inclusion, or failed scan results must be handled directly between the scan customer and the ASV, not by the PCI SSC.

Configure and schedule scans

The client works with their ASV to configure and schedule the scan. Internal teams must be aware of the scan timing, including after infrastructure or data security changes, to avoid mistaking it for real malicious activity. Specific aspects of the scan preparation include:

  • Defining scan targets;
  • Validating IP ownership;
  • Configuring the scanning parameters;
  • Scheduling the recurring quarterly scans to help meet PCI DSS external scanning requirements.

Conduct external vulnerability scans.

The next step is to perform the scheduled automated external vulnerability scans that ASVs perform. The objective is to simulate what an unauthorized external attacker can discover about the protected infrastructure, helping with determining what someone outside the environment can see. AN ASV will perform specific checks for items affecting security, such as:

  • Missing security patches that address known vulnerabilities;
  • Weak TLS encryption configuration;
  • Utilizing vendor default credentials;
  • Open ports and services;
  • Misconfigured web servers.

Review scan findings

The merchant and the ASV then review the scan findings to assess their impact on PCI compliance, which helps determine whether the findings affect compliance and what remediation is needed. Security teams must then address the findings by developing remediation strategies. Common findings include:

  • Software vulnerabilities, such as an unpatched web server;
  • Weak encryption that affects data security;
  • Unnecessarily open ports;
  • Expired certificates;
  • Configuration errors, including enabled default settings.

Remediate the identified vulnerabilities.

Organizations then remediate any identified vulnerabilities to reduce non-compliance risk and reduce the infrastructure’s attack surface. A failed scan may result from vulnerabilities, scan interference, or an unresolved dispute, and each outcome requires different remediation before rescan. Common examples of remediation activities include:

  • Applying necessary security and software patches;
  • Replacing expired certificates;
  • Disabling vulnerable and unnecessary services;
  • Hardening server access settings;
  • Strengthening encryption configuration.

Rescan the in-scope environment.

The ASV rescans the environment after the vulnerabilities are remediated. Most ASVs include rescans as part of their standard service offering. It may take multiple iterations of scanning and remediation to achieve compliance and a passing score.

Reporting, Disputes, and ASV Scanning Quality

ASV reports are highly structured and standardized to provide merchants with an auditor-verifiable compliance artifact that demonstrates external attack-surface security meeting PCI DSS requirements. The ASV report contains the following sections:

  • The executive summary indicates whether the merchant passed or failed a scan.
  • The scope definition identifies all assets included in the scan.
  • Scan configuration details demonstrate how the scanning was performed.
  • The vulnerability findings are listed in the core technical section of the report. It includes vulnerability severity, affected asset, evidence, and remediation guidance.
  • The PCI DSS compliance mapping determines whether the findings cause a failure and references the applicable PCI DSS requirements. This section forms the basis for the ASV pass/fail status.
  • The final attestation is the ASV’s official statement of compliance.

ASVs must have a structured dispute workflow in place to address disagreements between the merchant and scanning vendor. Merchants can challenge findings they believe are incorrect, not applicable, or have already been remediated. Common reasons for disputes include:

  • Detecting False Positives;
  • Identifying assets that are not externally exposed;
  • Scanning assets that are not in scope for PCI compliance;
  • Flagging remediated vulnerabilities in a scan.

Companies typically submit disputes through the ASV’s reporting system. The ASV will review the dispute and validate the issue. These disputes must be handled directly between the scan customer and the ASV and cannot be escalated to the PCI SSC. After review, the ASV will either accept the dispute and remove the vulnerability from the report or reject it as a valid finding. In some cases, the ASV may request further information to resolve the dispute.

Merchants should request a sample scan report from prospective vendors to verify that it contains the necessary information and is formatted for clear understanding by management and technical teams.

Choosing Approved Scanning Vendors and ASV Company Evaluation

Companies should always select an ASV that is on the PCI SSC’s list of approved vendors, including service providers that help businesses maintain compliance. Decision-makers should evaluate ASV companies to gauge the quality of their remediation guidance and whether the vendor also offers related security services. Merchants should expect a clear remediation process to address identified vulnerabilities.

The search for the right ASV should also include verifying that its processes integrate with a merchant’s existing security tools. Teams should try to streamline scanning without modifying their security solutions.

It is important to assess the dispute turnaround time for potential ASVs. The turnaround time can be instrumental in meeting the compliance deadlines and avoiding penalties that may affect merchant status.

Integrations, Continuous Monitoring, and PCI Compliance Maintenance

Customers should investigate the potential to integrate ASV scanning activities with existing ticketing systems. This can streamline remediation efforts and a company’s compliance posture.

Some ASVs offer continuous external monitoring solutions designed to identify vulnerabilities as soon as they appear.

Companies should work with their ASV to schedule scans after network or infrastructure changes. These ad-hoc scans protect a business from vulnerabilities that the changes may have unintentionally introduced.

Costs, Contracts, and Service Models for PCI Approved Scanning

Many ASVs offer per-scan pricing and a subscription model. Merchants should consider the following factors when signing a contract with an ASV.

  • Per-scan pricing is best for small in-scope environments. It is difficult to budget efficiently with this model because it is usage-based, and rescans may incur additional costs.
  • The subscription model offers companies with larger PCI DSS environments predictable costs, making budgeting easier. This model often includes rescans in the service’s price.

In either case, customers should clarify SLA support in the contract so they are not surprised when addressing disputes or remediation activities.

ASV Training, Certification, and Internal Quality Assurance

The ASV vendor should be willing to demonstrate that their staff is trained to perform scanning processes effectively. An ASV’s personnel should be up to date on scanning methodology, PCI requirements, and vulnerability assessment standards. Individuals and organizations that want to operate as an ASV must meet standards that include:

  • Passing the PCI SSC ASV program qualification requirements;
  • Demonstrating scanning capabilities in test scenarios;
  • Validating correct reporting methods;
  • Maintaining procedural consistency and independence.

Merchants should verify the vendor’s staff certifications to ensure they comply with PCI regulations. The ASV must demonstrate annual requalification to align with new PCI DSS requirements, updated vulnerability scoring standards, changes in scan validation rules, and evolving, sophisticated attack techniques.

Frequently Asked Questions About Approved Scanning Vendor and PCI Compliance

Q: Do internal scans replace ASV scans?

A: No, internal scans do not replace ASV scans. ASV scans are required to maintain PCI DSS compliance. Companies may perform internal scans to supplement ASV scans and identify vulnerabilities, enhancing their security posture.

Q: When are ASV scans necessary for hosted checkouts or redirect setups?

A: An ASV scan solution may be necessary for hosted checkout or redirect setups under certain conditions. Scans are required when the merchant has internet-facing systems in scope for PCI DSS. They may not be required when a merchant has no in-scope internet-facing systems or website, and a third-party provider handles the entire payment process.

Q: What is the relationship between penetration testing and ASV scans?

A: Penetration testing and ASV scans are processes that are often both required to meet PCI DSS requirements. ASV scans are automated and focus on addressing known vulnerabilities in externally accessible systems. Penetration tests go further and attempt to exploit vulnerabilities, escalate privileges, and access sensitive data. Used together, ASV scans and penetration tests provide insight into issues that may affect the security of a PCI-compliant infrastructure.

Conclusion: Selecting the Right PCI Approved Scanning Vendor

Companies subject to PCI DSS compliance must exercise care when selecting an approved scanning vendor. Ideally, the ASV should be seen as a partner to ensure the data security of the in-scope infrastructure. A reliable ASV is instrumental in maintaining the security level required for PCI compliance.

Organizations should consider these factors when choosing an ASV:

  • Inclusion on the SSC’s approved ASV list;
  • Scan accuracy and reliability;
  • The quality of remediation support;
  • Automation and reporting capabilities;
  • Responsive customer support;
  • Cost.

Merchants leveraging a reputable cloud service provider (CSP) such as Atlantic.net for their PCI DSS infrastructure can focus on running their business while the provider handles maintaining a secure computing environment. Learn how Atlantic.net supports your PCI DSS compliance with a variety of PCI-compliant hosting solutions that stand up to stringent ASV scans.