Depending on how you take payments, PCI DSS may require you to get a quarterly external vulnerability scan from a certified Approved Scanning Vendor, or ASV. Here's what that means and whether it applies to you.
What an ASV scan actually is
It's an external scan of your internet-facing systems — your website, your payment page, anything with a public IP — run by a company PCI has specifically certified to do this. It's how you demonstrate compliance with PCI DSS Requirement 11.3.2, which calls for this kind of scan at least once a quarter, and again after any significant change to your setup.
Do you need one?
It depends on which SAQ applies to your business. If you're on SAQ A, A-EP, B-IP, C, or D, yes — you need quarterly ASV scans, since these all involve some kind of internet-facing footprint (even something as small as a redirect or iframe checkout page counts). If you're on SAQ B, C-VT, P2PE, or SPoC, you're off the hook here — those setups don't have a persistent, externally-scannable footprint of your own.
What to expect
You can't run this scan yourself — it has to be done by a PCI-certified ASV. You'll work with them to schedule it and define what's in scope, but they control the scan itself and the report it produces.
Getting your scope right matters — make sure you're accounting for everything that's actually internet-facing, since that's ultimately your responsibility to define.
If your network is properly segmented (your payment systems isolated from everything else), the scan's scope — and the cost and hassle that comes with it — shrinks considerably.
A failing scan isn't a crisis. Rescans are a normal part of the process, and you can combine multiple scan reports across the quarter to show everything eventually came back clean.
Hold on to your scan reports for a few years — acquirers and payment brands sometimes ask for them as proof down the line.
A quick word on internal scans
Separately from ASV scans, PCI also recommends internal vulnerability scanning of your own network. That one doesn't have to be done by an ASV — you or a qualified vendor can handle it — so don't mix the two up if someone mentions "internal scanning" to you.
Not sure if this applies to you, or need help finding a scanning vendor? Reach out to our support team and we'll point you in the right direction.
