What is Approved Scanning Vendor?

An Approved Scanning Vendor (ASV) is a company the PCI Security Standards Council has certified to perform external vulnerability scans on any internet-facing IP that's part of a merchant's cardholder data environment. PCI DSS Requirement 11.3.2 makes these scans mandatory at least once every 90 days. The scan hunts for known weaknesses — missing patches, weak TLS, exposed services, misconfigured firewalls — and produces a report with a pass or fail result against criteria the PCI SSC defines. If you fail, you fix what's broken and rescan. There are roughly 80 ASVs worldwide, including Qualys, Rapid7, Trustwave, NCC Group and Vista InfoSec.

An ASV isn't a generic security auditor. It's narrow: external scanning only. A QSA handles the full PCI DSS assessment, internal scans you can run yourself under Requirement 11.3.1, and an annual penetration test under Requirement 11.4 goes much deeper than anything an ASV does. Most managed-PCI providers fold ASV scans into their service so you don't have to pick a vendor or chase quarterly deadlines yourself — that's how we handle it for Paytia customers using DTMF masking, since reducing what's in scope also reduces what needs scanning.

What Is an Approved Scanning Vendor?

An ASV is a company the PCI Security Standards Council has certified to test the outside of your network — the IPs and domains anyone on the internet can reach. Think of it as a qualified inspector checking the locks on your digital doors and windows. If your business accepts card payments and has anything connected to the internet, you almost certainly need quarterly ASV scans to stay compliant.

How ASV Scanning Works

An ASV scan is an automated probe against your external-facing IPs, web servers, and domains. It looks for outdated software, misconfigured servers, ports that shouldn't be open, weak encryption, and known flaws in web applications. The process runs like this:

• You hand the ASV a list of your external IP addresses, web servers, and domains
• The ASV's scanning tools run against those targets
• Vulnerabilities get identified and rated by severity
• You get a report with the findings and a pass-or-fail result
• If you fail, you fix what's broken and rescan until you pass

Scans must happen at least once every 90 days. Plenty of organisations run them more often than that. Each scan is a snapshot — it tells you whether your systems were secure at that moment.

What Makes an ASV Different from Any Scanner?

Anyone can download Nessus or OpenVAS and run it against a website. The thing that makes an ASV count is the certification process. The PCI SSC tests and validates each ASV's tooling against specific standards for accuracy, thoroughness, and reporting. Only companies on the Council's official list of approved vendors can produce a scan that satisfies PCI DSS.

This matters because your acquiring bank or payment processor will ask for proof of passing ASV scans. A scan from a non-approved tool won't satisfy the requirement, no matter how thorough it might be.

Why ASV Scans Matter for Businesses

External-facing systems are the most common target for attackers — by definition, they're reachable from anywhere on the planet. A single unpatched web server or a misconfigured firewall can be the way in. Regular ASV scans catch those issues before someone else does.

They also create a documented history of your security posture, which matters during a compliance audit and is invaluable if a breach actually happens. For smaller businesses, ASV scans are one of the cheapest ways to show that external systems are being actively monitored. They're affordable and they don't disrupt normal operations.

ASV Scanning and Telephone Payments

If you take payments over the phone, you might wonder whether ASV scans apply to your telephony kit. It depends on the setup. If your phone payment systems connect to the internet — a VoIP-based contact centre, a web-based virtual terminal — those systems are probably in scope for ASV scanning.

If you route the payment through a third-party service that handles the card data on your behalf, the scanning obligation often shifts to that provider. This is one of the underrated benefits of descoping your phone payments. By keeping card data out of your own systems, you cut the number of assets that need scanning and the overall PCI burden.

Practical Considerations

A few things worth knowing before your first ASV scan:

• Scans can occasionally trigger your own intrusion detection alerts or briefly affect system performance, so it's worth scheduling them during quiet periods
• False positives happen. The scan may flag something that isn't actually exploitable in your specific configuration. Every ASV has a dispute process for these — use it
• A failed scan isn't a disaster. It just means you've got work to do. Fix what's flagged, rescan, document the remediation
• Keep every report, pass or fail. Your QSA or acquiring bank may want to see the full history

ASV scanning isn't a silver bullet. It only looks at external systems, and it only catches known vulnerabilities. It doesn't test your internal network, and it won't spot every possible attack. But as one layer in a layered security approach, regular ASV scans are one of the most straightforward ways to reduce risk and prove due diligence.

Choosing an ASV

When picking an ASV, look for clear reporting, responsive support when you need to dispute false positives, and a straightforward rescanning process. Some ASVs bundle scanning with other compliance services, which can be useful if you also want help interpreting results or fixing what's flagged. Always check the provider is on the PCI SSC's official list — it's public, it's on the SSC website, and it's updated regularly.