What is Approved Scanning Vendor?

What Is an Approved Scanning Vendor?

An Approved Scanning Vendor, or ASV, is a company that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform external vulnerability scans on internet-facing systems. Think of an ASV as a qualified inspector who checks the locks on your digital doors and windows -- making sure there are no obvious ways for attackers to break in from the outside.

These scans are a core requirement of PCI DSS. If your business accepts card payments and has any systems connected to the internet, you almost certainly need quarterly ASV scans to stay compliant.

How ASV Scanning Works

An ASV scan is an automated process that probes your external-facing IP addresses and domains for known vulnerabilities. The scan looks for things like outdated software, misconfigured servers, open ports that should be closed, weak encryption, and known security flaws in web applications.

The process typically works like this:

• You provide the ASV with a list of your external IP addresses, web servers, and domains
• The ASV runs automated scanning tools against those targets
• The scan identifies vulnerabilities and rates their severity
• You receive a report detailing what was found, along with a pass or fail result
• If you fail, you fix the issues and rescan until you pass

Scans must be completed at least once every 90 days, though many organisations run them more frequently. Each scan is a snapshot -- it tells you whether your systems were secure at that point in time.

What Makes an ASV Different from Any Scanner?

Anyone can download a vulnerability scanner and run it against a website. What sets an ASV apart is the certification process. The PCI SSC tests and validates ASV companies to ensure their scanning tools meet specific standards for accuracy, thoroughness, and reporting. Only companies on the PCI SSC's official list of approved vendors can provide scans that count towards PCI DSS compliance.

This matters because your acquiring bank or payment processor will ask for proof of passing ASV scans. A scan from a non-approved tool will not satisfy the requirement, no matter how thorough it might be.

Why ASV Scans Matter for Businesses

Vulnerability scanning is one of the most practical security measures a business can take. External-facing systems are the most common target for attackers because they are, by definition, accessible from anywhere in the world. A single unpatched web server or a misconfigured firewall can give criminals a way in.

Regular ASV scans catch these issues before attackers do. They also create a documented history of your security posture, which is valuable during compliance audits and in the event of a security incident.

For smaller businesses, ASV scans are often the most cost-effective way to demonstrate that external systems are being actively monitored and maintained. The scans are relatively inexpensive and can be completed without disrupting normal operations.

ASV Scanning and Telephone Payments

If your business takes payments over the phone, you might wonder whether ASV scans apply to your telephony systems. The answer depends on your setup. If your phone payment systems connect to the internet -- for example, a VoIP-based contact centre or a web-based virtual terminal -- those systems are likely in scope for ASV scanning.

However, if you use a third-party service that handles the payment data on your behalf, the scanning obligation may shift to that provider. This is one of the key benefits of using a descoping solution for phone payments: by keeping card data out of your own systems, you reduce the number of assets that need to be scanned and the overall burden of PCI compliance.

Practical Considerations

There are a few things worth knowing before your first ASV scan:

• Scans can occasionally trigger intrusion detection alerts or temporarily affect system performance, so it is worth scheduling them during quieter periods
• False positives are common -- the scan may flag something as a vulnerability that is actually a non-issue in your specific configuration. Most ASVs have a dispute process for these cases
• Failing a scan is not a disaster. It simply means you have work to do. Fix the identified issues, rescan, and document the remediation
• Keep records of all scan reports, whether pass or fail. Your QSA or acquiring bank may ask to see the full history

ASV scanning is not a silver bullet. It only checks external-facing systems and only looks for known vulnerabilities. It does not test internal networks, and it cannot catch every possible attack. But as part of a layered security approach, regular ASV scans are one of the most straightforward ways to reduce risk and demonstrate due diligence.

Choosing an ASV

When selecting an ASV, look for a provider that offers clear reporting, responsive support for resolving false positives, and a straightforward rescanning process. Some ASVs bundle scanning with other compliance services, which can be convenient if you need help interpreting results or remediating issues. Always verify that the provider appears on the PCI SSC's official list of approved vendors before engaging their services -- this list is publicly available on the PCI SSC website and is updated regularly.