What is an Approved Scanning Vendor (ASV)?
What is an Approved Scanning Vendor (ASV)?
An Approved Scanning Vendor (ASV) is a company certified by the PCI Security Standards Council to perform external vulnerability scans of internet-facing systems that are part of the cardholder data environment. ASV scans are a specific PCI DSS requirement (Requirement 11.3.2) and must be conducted quarterly by a PCI SSC-approved vendor.
Purpose of ASV scans
ASV scans serve as an independent check on the security of externally facing systems that could be used to access cardholder data. The scans identify:
- Known vulnerabilities in operating systems, applications, and network devices
- Misconfigurations that could expose systems to attack
- Weak or default credentials on internet-facing services
- Missing security patches
- Other security weaknesses visible from the external network
ASV scan requirements
PCI DSS requires:
- Quarterly scans — external vulnerability scans must be performed at least once every 90 days
- Passing results — scans must achieve a passing status, meaning no vulnerabilities with a CVSS score of 4.0 or higher remain unresolved
- Scan coverage — all externally facing IP addresses and domains in scope must be included
- Rescans after remediation — if a scan fails, vulnerabilities must be remediated and a rescan performed to confirm resolution
- Scan after significant changes — additional scans may be required after significant infrastructure changes
How ASV scans work
The ASV scan process typically follows these steps:
- Scope definition — the organization identifies all external IP addresses and domains in the cardholder data environment
- Scan execution — the ASV performs automated vulnerability scanning against the defined scope
- Results review — the ASV provides a report detailing identified vulnerabilities, their severity, and remediation guidance
- Dispute resolution — if the organization believes a finding is a false positive, it can submit a dispute to the ASV with supporting evidence
- Remediation — the organization addresses identified vulnerabilities
- Rescan — if needed, the ASV performs additional scans to confirm remediation
- Attestation — the ASV provides a scan attestation confirming the results
Passing vs failing scans
A scan is considered passing when:
- No vulnerabilities with a CVSS base score of 4.0 or higher are present
- No automatic failure conditions exist (such as DNS zone transfers, unrestricted SQL access, or use of SSL/early TLS)
- All components in scope have been successfully scanned
Failing scans must be addressed before the organization can demonstrate compliance for that quarter.
ASV vs penetration testing
ASV scans and penetration testing serve different purposes:
- ASV scans are automated external vulnerability scans required quarterly, focused on identifying known vulnerabilities
- Penetration testing involves manual testing by skilled testers who attempt to exploit vulnerabilities and chain findings together
Both are required by PCI DSS, but they serve complementary functions. ASV scans provide broad, frequent coverage while penetration tests provide deeper, more targeted analysis.
Choosing an ASV
The PCI SSC maintains a list of approved scanning vendors on its website. When selecting an ASV, consider:
- Quality and usability of scan reports
- False positive rates and dispute resolution processes
- Customer support responsiveness
- Integration capabilities with your security tools
- Pricing structure
How episki helps
episki tracks your ASV scan schedule, stores scan results, and monitors remediation of identified vulnerabilities. The platform alerts you when quarterly scans are due and flags overdue remediation items. Learn more on our PCI DSS compliance page.
