What is an Approved Scanning Vendor (ASV)?

Summary

• An Approved Scanning Vendor (ASV) is a company authorized by the PCI Security Standards Council to perform external vulnerability scans.
• PCI DSS requires quarterly Approved Scanning Vendor (ASV) scans for all merchants and service providers with internet-facing systems in scope.
• ASVs test for known vulnerabilities that could expose cardholder data.
• Only PCI-certified ASVs can submit official scan reports to acquiring banks or processors.
• Choosing the right Approved Scanning Vendor (ASV) can help you reduce false positives and avoid failed scans.

What Is an Approved Scanning Vendor?

An Approved Scanning Vendor (ASV) is a third-party security organization that has been certified by the PCI Security Standards Council (PCI SSC) to conduct external vulnerability scans on behalf of organizations that process, store, or transmit cardholder data.

ASVs perform automated scans of internet-facing systems to identify:

• Known security vulnerabilities
• Outdated software
• Misconfigured services
• Weak TLS/SSL configurations
• Open ports or insecure protocols

Approved Scanning Vendor (ASV) scans are a required component of PCI DSS compliance for many merchants and service providers—especially those completing SAQ A-EP, SAQ D, or undergoing a full Report on Compliance (ROC).

What Is the Purpose of an Approved Scanning Vendor (ASV) Scan?

The goal of an ASV scan is to identify and document external threats to systems that are publicly accessible—such as:

• eCommerce websites
• Firewalls and routers
• Remote access points
• Web applications and APIs
• Payment processors and checkout pages

Because these systems are exposed to the internet, they are frequent targets for attackers. The ASV scan ensures that organizations are not vulnerable to common exploits, such as:

• Cross-site scripting (XSS)
• SQL injection
• Insecure services (e.g., Telnet, FTP)
• Unpatched CVEs

PCI DSS Requirement 11.3.2 mandates quarterly ASV scans for all in-scope, internet-facing assets.

What Makes an ASV “Approved”?

To become an ASV, a company must:

• Pass a rigorous testing and certification process by the PCI SSC
• Demonstrate secure, accurate scanning tools and methodologies
• Submit scan reports in the standardized PCI format
• Undergo annual recertification to maintain listing

ASVs are not allowed to modify or “tune” results just to help a client pass. They must operate independently and adhere to the ASV Program Guide.

You can find the official list of ASVs on the PCI SSC website.

What Happens If an ASV Scan Fails?

If your ASV scan identifies one or more “Failing” vulnerabilities, you must:

• Remediate the issue(s)—e.g., patch a vulnerability, reconfigure a service
• Request a rescan of the affected assets
• Receive a “Passing” scan that you can submit to your acquirer or QSA

Most ASVs provide detailed remediation instructions along with their findings. However, they cannot alter pass/fail results without evidence of actual fixes.

FAQ

Conclusion

Approved Scanning Vendors (ASVs) play a critical role in helping organizations meet their PCI DSS external vulnerability scanning requirements. If your systems are exposed to the internet and part of your cardholder data environment, regular ASV scans aren’t optional—they’re mandatory.

ASVs help ensure:

• Your internet-facing systems are not vulnerable to known exploits
• You have formal, PCI-validated scan results to submit to banks or auditors
• Issues are identified and remediated before they lead to a breach or compliance failure

While passing an ASV scan is a requirement, it’s also an opportunity: it helps reduce your external attack surface, validate patching and configurations, and strengthen your PCI DSS compliance posture.