Cost Reduction Strategies for PCI DSS ASV Scanning
Discover 9 proven strategies to reduce PCI DSS ASV scan costs without risking compliance. Shrink scope, avoid rescans, and choose smarter.
Your acquirer is asking for ASV scan results. Your QSA just flagged Requirement 11.3.2. Or you've been told you need a "PCI external scan" and nobody has explained what that actually means. This post covers exactly what PCI ASV scanning requires ; who it applies to, what gets scanned, how often, and what passing actually looks like under PCI DSS 4.0.1.
Under PCI DSS 4.0.1, Requirement 11.3.2 mandates that any merchant or service provider in scope must conduct external vulnerability scans at least once every three months using a PCI SSC-listed Approved Scanning Vendor.
The scan must cover all Internet-facing components connected to the cardholder data environment (CDE). A passing certificate is only issued when all high and medium CVSS-scored vulnerabilities are remediated and a clean rescan confirms the result.
This is where a lot of businesses get caught out. The requirement isn’t universal; it depends on which Self-Assessment Questionnaire (SAQ) your acquirer or payment brand has assigned to you.
ASV scanning is required under the following SAQ types:
SAQ Type | Who It Applies To | ASV Scan Required? |
|---|---|---|
SAQ A | E-commerce merchants using redirects or iframes to a compliant TPSP | Yes (PCI DSS v4 addition) |
SAQ A-EP | E-commerce merchants with partially outsourced payment pages | Yes |
SAQ B-IP | Merchants using IP-connected POI devices | Yes |
SAQ C | Merchants with payment application systems connected to the internet | Yes |
SAQ D (Merchants) | All merchants not covered by A, B, B-IP, or C | Yes |
SAQ D (Service Providers) | Service providers storing, processing, or transmitting cardholder data | Yes |
SAQ B | Merchants using only imprint machines or standalone dial-out terminals | No |
Important nuance on SAQ A: PCI DSS 4.0.1 expanded ASV scan requirements to SAQ A merchants; specifically those whose webpage either redirects to a PCI DSS-compliant third-party service provider (TPSP) or embeds a compliant TPSP payment page via iframe.
This was a deliberate response to the volume of e-commerce breaches targeting these redirect and iframe integrations. If you run a Shopify, WooCommerce, or similar store using a hosted checkout, you likely fall here.
If you’re unsure which SAQ applies to you, your acquiring bank or payment brand defines that; not your ASV.
The scope of an ASV scan covers all Internet-facing components that are part of, or connect to, your cardholder data environment. This includes:
What’s often missed: basic functions like email servers and general internet access can technically create a route into your network. The PCI SSC ASV Program Guide is explicit; even seemingly low-risk paths need to be evaluated against your CDE boundary.
If you’re using network segmentation to reduce scope, your ASV will need confirmation of proper segmentation before excluding systems.
If you host part of your CDE with an ISP or multi-tenant provider, there are two ways this gets handled:
Either way, the compliance responsibility sits with you as the scan customer. Make sure you know which route your provider takes before your next scan cycle.
A passing scan under the ASV Program Guide isn’t just “no critical vulnerabilities found.” The full requirement includes:
One thing worth understanding: a passing ASV scan certificate only confirms compliance with Requirement 11.3.2. It does not certify compliance with the rest of PCI DSS.
Your scan report is one piece of evidence your acquirer or QSA reviews; not a full compliance endorsement.
Failing scans don’t end your compliance cycle; they start a remediation loop.
The process under the ASV Program Guide:
A point practitioners often overlook: Denial of Service (DoS) vulnerabilities; where CVSS Confidentiality Impact and Integrity Impact are both “None”; are explicitly excluded from failing a scan under ASV Program Guide rules. ASVs are required not to count DoS-only vulnerabilities as compliance failures. If an ASV is failing your scan for a pure DoS finding with no cardholder data exposure risk, that’s a dispute worth raising.
Similarly, the Triple DEA (3DES/TDES) cipher vulnerability is ranked as Medium by CVSS. Under Requirement 11.2.2, medium and high vulnerabilities must be corrected; but your ASV can re-rank a vulnerability’s severity if your specific environment justifies it, and you can dispute findings where compensating controls reduce the real-world risk.
Most businesses that struggle to pass their first scan run into the same issues:
PCI ASV scanning under PCI DSS 4.0.1 Requirement 11.3.2 is a quarterly external vulnerability scan of all Internet-facing systems connected to your CDE, performed by a PCI SSC-listed vendor. A passing result requires remediation of all medium-severity and above findings, confirmed by a clean rescan.
The requirement applies to most e-commerce merchants, SaaS companies handling card payments, and service providers; including SAQ A merchants since PCI DSS v4. It does not confirm full PCI compliance, but it is a mandatory component of it.
For the full mechanics of the scanning process; what scopes, what fails, and how to prepare; see our complete guide to PCI ASV scanning services.
Secusy ASV is PCI SSC-listed. From $80/year per IP, with unlimited rescans and analyst support; not a ticket queue. Book your PCI ASV scan and get your pass certificate within 24 hours.
External references: PCI SSC ASV Resource Guide | ASV Program Guide v4.0r2