If you handle credit card data, you’ve likely been told you need a “PCI scan.” But for many IT managers, the confusion lies in whether a standard internal vulnerability scan is enough, or if you specifically require an Approved Scanning Vendor (ASV) to sign off on your reports.
Missing this requirement doesn’t just mean a failed audit; it means your merchant bank could revoke your ability to process payments entirely.
You need PCI ASV scanning if your organization processes, stores, or transmits credit card data through any external-facing IP address or web application, and you are required to validate via SAQ A-EP, SAQ B-IP, SAQ C, or SAQ D. Under PCI DSS 4.0.1, these scans must be performed quarterly by a PCI SSC-approved vendor to secure your Cardholder Data Environment (CDE).
Get your Pass Certificate within 24 hours
When is an ASV Scan Legally Required?
Not every business needs an ASV. The requirement is dictated by your Self-Assessment Questionnaire (SAQ) type, which is determined by how you handle transactions.
If your systems touch the internet and transmit card data, the PCI Security Standards Council (SSC) mandates an external look from a validated third party.
ASV Requirement by SAQ Type
SAQ Type | Merchant Profile | ASV Scan Required? |
SAQ A | E-commerce/Mail-order outsourced to 3rd party (e.g., Stripe Checkout) | No |
SAQ A-EP | E-commerce using a direct post or JavaScript integration | Yes |
SAQ B-IP | Standalone IP-connected POI terminals | Yes |
SAQ C | Merchants with payment systems connected to the Internet | Yes |
SAQ D | All other merchants and all Service Providers | Yes |
SAQ P2PE | Hardware payment terminals via a validated P2PE solution | No |
The "External" Rule: What Assets Must Be Scanned?
If you fall into a “Yes” category above, you must scan every public-facing IP address that provides a path into your Cardholder Data Environment (CDE). This includes:
- Web Servers: Even if they only host the payment form that redirects elsewhere.
- Firewalls & Routers: Any gateway that protects the network handling card data.
- Remote Access Points: VPN endpoints used by admins to manage payment systems.
- Load Balancers: Any infrastructure that sits in front of the CDE.
Common "Hidden" Scan Failures
At Secusy, we frequently see businesses fail their first scan not because of a massive breach, but due to technical hygiene issues that PCI DSS 4.0.1 strictly forbids:
- Deprecated TLS: Still using TLS 1.0 or 1.1.
- Information Leakage: Detailed server headers (e.g., Server: Apache/2.4.41) that give attackers a roadmap.
- Unnecessary Services: Open ports for telnet or old versions of SSH that serve no business purpose.
The Quarterly Compliance Checklist
- Quarterly Schedule: Complete one successful scan every 90 days.
- Remediation Window: Leave 2–3 weeks between the initial scan and the deadline to fix "Failing" vulnerabilities (CVSS scores 4.0 or higher).
- Attestation: Review and "attest" to the final report in the Secusy dashboard to generate your official compliance PDF.
- Significant Change: Perform an ad-hoc ASV scan whenever you change your network topology or upgrade your web server software.
The Secusy Advantage: PCI Compliance for SMBs
Most enterprise ASV tools are built for Fortune 500 companies, with pricing and complexity to match.
Secusy ASV was designed to solve the “compliance headache” for smaller IT teams and businesses.
- No Technical Bloat: We focus on the CVSS 4.0.1 requirements you actually need to pass.
- Fast Support: If you get a “Fail” on a specific port, our experts help you understand the remediation steps immediately; not via a ticket that takes a week.
- Transparent Pricing: No “enterprise” quotes. Just affordable, audit-ready scanning.
4 Responses