In today’s digital age, accepting credit cards means taking responsibility for keeping cardholder data secure. One of the critical steps in doing that—and maintaining PCI DSS compliance—is performing regular ASV scans. But what exactly is an ASV scan, and why is your processor asking (or charging) you for it?
Let’s break it down.
🧠 What Is an ASV Scan?
ASV stands for Approved Scanning Vendor, and an ASV scan refers to a quarterly external vulnerability scan performed by a third-party security provider that’s been certified by the PCI Security Standards Council (PCI SSC).
The goal? To identify potential weaknesses in your business’s public-facing systems—like your website, payment portal, or connected servers—that could be exploited by hackers to steal credit card data.
🛡 Why Are ASV Scans Required?
The Payment Card Industry Data Security Standard (PCI DSS) mandates these scans as a key part of ongoing compliance. While the specific requirements vary depending on your PCI merchant level, any business that stores, processes, or transmits cardholder data over the internet may be required to complete ASV scans.
They help:
- Identify vulnerabilities in your external systems
- Proactively address risks before they can be exploited
- Ensure compliance with PCI DSS
- Avoid penalties or breaches that could cost your business thousands
📊 Who Needs an ASV Scan?
If you’re not sure whether you’re required to complete ASV scans, here’s a general guideline based on PCI merchant levels:
| Merchant Level | Annual Transactions | ASV Scan Required? |
|---|---|---|
| Level 1 | Over 6 million | ✅ Yes |
| Level 2 | 1–6 million | ✅ Yes |
| Level 3 | 20k – 1 million (e-commerce only) | ✅ Yes |
| Level 4 | Fewer than 20k e-commerce or <1 million overall | ✅ Sometimes (varies by setup and processor) |
Note: Even if you’re a Level 4 merchant, you might still need an ASV scan if you accept payments online or connect to the internet.
🧾 What’s Included in an ASV Scan?
An ASV scan typically covers:
- Public IP addresses
- Web applications
- Remote access points (e.g., VPNs)
- Network services and ports
The scan results identify whether your system passes or fails based on the presence of known vulnerabilities. If it fails, your provider will detail what needs to be fixed, and you can rescan after the fixes are applied.
🔄 How Often Are ASV Scans Required?
Per PCI DSS guidelines:
- You must complete a scan every 90 days (quarterly)
- You must submit a passing scan report to your acquiring bank or payment processor
- Scans must be conducted by a PCI SSC-approved ASV
If you make any significant network changes (e.g., new hosting provider, firewall updates, or software installs), a new scan may also be required.
💰 Why Are ASV Scans Sometimes Billed Separately?
Here’s where confusion often arises. The PCI Council doesn’t charge a fee for compliance. But many payment processors bundle ASV scan services into a larger PCI Compliance Program and charge merchants a monthly or annual fee for:
- Access to a PCI portal and self-assessment tools (SAQs)
- Quarterly ASV scans
- Breach protection insurance
- Support and training resources
If you’ve been charged a PCI compliance fee, this usually includes ASV scans and related tools to help meet the standards. In some cases, you can opt out and use your own ASV.
✅ How to Get Started with ASV Scans
- Check if your processor provides ASV scans as part of their compliance program.
- If not, you can engage a PCI SSC-approved vendor directly. A list of ASVs is available here: Approved Scanning Vendors.
- Run your first scan, fix any vulnerabilities, and submit a passing scan report.
- Schedule quarterly scans moving forward to stay compliant.
🧩 Final Thoughts
An ASV scan may feel like just another compliance checkbox—but it’s actually a powerful security measure that helps protect your business and your customers. Think of it like a regular check-up for your network. It helps detect issues early and demonstrates your commitment to keeping cardholder data safe.
Still have questions about your PCI compliance requirements or fees? Reach out to your processor or compliance support team—they should help you understand what you’re paying for and how to stay compliant efficiently.
