Skip to main content

Do I Need Quarterly ASV Scans?

What an ASV scan is, whether your business needs one, and what to expect from the quarterly process.

Depending on how you take payments, PCI DSS may require you to get a quarterly external vulnerability scan from a certified Approved Scanning Vendor, or ASV. Here's what that means and whether it applies to you.

What an ASV scan actually is

It's an external scan of your internet-facing systems — your website, your payment page, anything with a public IP — run by a company PCI has specifically certified to do this. It's how you demonstrate compliance with PCI DSS Requirement 11.3.2, which calls for this kind of scan at least once a quarter, and again after any significant change to your setup.

Do you need one?

It depends on which SAQ applies to your business. If you're on SAQ A, A-EP, B-IP, C, or D, yes — you need quarterly ASV scans, since these all involve some kind of internet-facing footprint (even something as small as a redirect or iframe checkout page counts). If you're on SAQ B, C-VT, P2PE, or SPoC, you're off the hook here — those setups don't have a persistent, externally-scannable footprint of your own.

What to expect

  • You can't run this scan yourself — it has to be done by a PCI-certified ASV. You'll work with them to schedule it and define what's in scope, but they control the scan itself and the report it produces.

  • Getting your scope right matters — make sure you're accounting for everything that's actually internet-facing, since that's ultimately your responsibility to define.

  • If your network is properly segmented (your payment systems isolated from everything else), the scan's scope — and the cost and hassle that comes with it — shrinks considerably.

  • A failing scan isn't a crisis. Rescans are a normal part of the process, and you can combine multiple scan reports across the quarter to show everything eventually came back clean.

  • Hold on to your scan reports for a few years — acquirers and payment brands sometimes ask for them as proof down the line.

A quick word on internal scans

Separately from ASV scans, PCI also recommends internal vulnerability scanning of your own network. That one doesn't have to be done by an ASV — you or a qualified vendor can handle it — so don't mix the two up if someone mentions "internal scanning" to you.

Not sure if this applies to you, or need help finding a scanning vendor? Reach out to our support team and we'll point you in the right direction.

Did this answer your question?