Select Page


What is PCI ASV?

The PCI Security Standards Council states within PCI DSS v3.2.1 that, when applicable, you must “Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). You must carry out rescans as needed, until passing scans are achieved.” (Requirement 11.2.2)

PCI ASV scans must be performed at least quarterly, and after any significant change, but not everybody needs them; see below.

Who needs a PCI ASV Scan?

Those entities who store, process or transmit cardholder data might need to undergo PCI ASV scanning. Whilst not every merchant and service provider needs ASV scans, it can also be affected by your payment channels. Additionally, your Acquirer may request these as you complete your journey to compliance.

The PCI SSC lists the following as requiring ASV scans:

Merchants reporting to their acquirer using:

  • SAQ B-IP – Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) terminals, No Electronic Cardholder Data Storage
  • SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage
  • SAQ A-EP – Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment Processing
  • SAQ D – All Other SAQ-Eligible Merchants
  • A QSA to produce a Report on Compliance if requirement 11.2.2 is applicable.

Service Providers who report their compliance using:

  • SAQ D for Service Providers (D-SP) – SAQ-Eligible Service Providers
  • A QSA to produce a Report on Compliance

Benefits of ASV Scanning

The PCI ASV Program has been designed to scan for threats that can impact the security of payment system and ensures that all PCI ASV Providers are qualified. Nettitude undergoes an annual test of our solution by the PCI SSC to provide assurance that we are giving merchants and service providers the information they need to keep their payment systems secure. Each of the Nettitude PCI ASV Professionals completes training and an examination to ensure they are giving you what is needed.

By using PCI ASV scanning from Nettitude, you

  • Receive scans from the Internet for vulnerabilities within your internet facing Cardholder Data Environment
  • Maintain monitoring of the network for security and continue to remain compliant with the PCI DSS.
  • Receive information that can inform other areas of your compliance program such as change management and patch management.

How it works?

Nettitude are authorised by the PCI SSC as an ASV Provider. We offer ASV scanning services in two options:

  • Managed service – Nettitude professionals will scan the environment on an agreed schedule and provide you with the Attestations of Scan Compliance after the scan. If there are findings, they will provide information and guidance to remediate in order to rescan and achieve a passing scan.
  • Self-service portal – you initiate the scans through a portal as often as you wish, complete your remediation, and use the in-built workflow to send a scan to the Nettitude ASV Professionals for attestation. Once completed, you download the passing scan result.

Whichever option you choose, you benefit from years of practical experience in vulnerability scanning, vulnerability management and practical remediation advice.

Get a free quote

speak to our experts