What is a PCI ASV scan?
An ASV (approved scanning vendor) is an organisation that is approved by the PCI SSC (Payment Card Industry Security Standards Council) to carry out vulnerability scanning.
These are automated tests that scan target networks and systems for cyber security vulnerabilities.
By identifying areas of weakness, external vulnerability scans allow organisations to address security issues that might affect the security of the cardholder data they process.
Why run a PCI ASV scan?
Requirement 11.3 of the PCI DSS (Payment Card Industry Data Security Standard) requires organisations to perform internal and external network vulnerability scans at least quarterly and after any significant change in the network.
External scans must be performed quarterly by a PCI ASV.
Who must undergo PCI ASV scans?
All acquiring banks require proof that merchants and service providers are PCI compliant before processing credit card payments.
Failure to provide proof of being PCI compliant (called an Attestation of Compliance) will result in a fine per payment card transaction from your bank.
Learn more about PCI DSS annual validation criteria
PCI ASV Scanning Service
This easy-to-use, self-managed, web-based scanning portal will check for vulnerabilities so you can ensure continued compliance with the PCI DSS. Unlimited scans, remediation guidance and downloadable compliance reports make this scanning service an ideal solution for e-commerce merchants.
Benefits of PCI ASV scanning
Conducting vulnerability scans provides valuable information that supports efficient patch management and other security measures that improve the security of the CDE (cardholder data environment).
Firewalls are designed to keep malicious actors out of your networks, but they can't protect you from all types of attacks. Port openings allow for web, email, FTP, and other Internet-based services to function, which leaves you vulnerable to exploitation.
Vulnerability scans can help identify these weaknesses, informing your security practices.
How do PCI ASV scans work?
Scanning tools essentially run a series of if-then scenarios designed to detect system settings and the tell-tale signs of vulnerabilities. A completed scan will provide a logged summary of alerts for you to act on.
To pass an ASV scan, you must remediate all identified critical, high-risk or medium-risk vulnerabilities (those with a CVSS score of 4.0 or higher), as well as certain specific findings that result in an automatic fail.
Learn more about our PCI DSS compliance solutions