What are Approved Scanning Vendor (ASV) scans? – Trust Payments

An Approved Scanning Vendor (ASV) check is a quarterly security scan of your payment systems to ensure they meet PCI DSS compliance standards. It identifies vulnerabilities in your network that could compromise cardholder data. These scans must be performed by a vendor who is certified by the PCI Security Standards Council.

Your business will need to undergo ASV scans if processing card payments through e-commerce websites, payment applications accessible via the internet, or any system where cardholder data could potentially be accessed from outside your network.

Supporting evidence

PCI DSS v4.0, March 2022 – Requirement 11.3.2.1
(Mandatory for all entities with Internet-facing systems)
"External vulnerability scans must be performed quarterly by an Approved Scanning Vendor (ASV), and after any significant change, for all system components that are public-facing or that could provide access to the cardholder data environment."
— PCI Security Standards Council (PCI SSC)

Approved Scanning Vendor Program Guide, v4.0
(Explicitly clarifies that the ASV requirement extends beyond e-commerce merchants)
"All Internet-facing IP addresses must be scanned, regardless of whether the system handles ecommerce or card-present transactions, if they are part of or provide a path to the cardholder data environment."
— PCI Security Standards Council (PCI SSC)

PCI SSC Knowledge Base – FAQ #1233
(Reinforces that non-e-commerce merchants are subject to the same scanning requirement)
"External vulnerability scans are required for any internet-facing system that could impact cardholder data security. This applies whether you conduct transactions online or in person."
— PCI Security Standards Council (PCI SSC)

Visa PCI DSS Compliance Program Guide
(Reinforces network brand enforcement of PCI DSS ASV scanning)
"Quarterly ASV scanning is required for all merchants and service providers with Internet-facing IP addresses, regardless of business channel."
— Visa

If you only use alternative payment methods (APMs) such as PayPal, Apple Pay or Google Pay where cardholder data never touches your systems, you may not require ASV scans. However, if you process any card payments directly — even alongside APMs — you'll still need to complete the scans. If you are unsure, we recommend contacting us for assistance at pcisupport@trustpayments.com.

How do ASV scans work?

ASV scans examine your external-facing systems to identify security vulnerabilities, such as weak encryption, open ports, misconfigured security settings and outdated software.

You must complete ASV scans quarterly or after any significant changes to your solution (e.g. major updates to your network, website or payment systems).

To achieve compliance, your scan must return a "passing" result with no vulnerabilities rated 4.0 or higher on the Common Vulnerability Scoring System (CVSS) scale.

Vulnerabilities are scored from 0 to 10:

0.0 - 3.9: Low severity
4.0 - 6.9: Medium severity
7.0 - 8.9: High severity
9.0 - 10.0: Critical severity

If your scan identifies vulnerabilities scoring 4.0 or above, you'll need to work with your IT team or web developer to remediate these issues before requesting a rescan.

PCI Portal

Our PCI Portal simplifies the process of performing and actioning the results of ASV scans, making it easier to ensure PCI DSS compliance is maintained.

Learn about PCI Portal Sign in to PCI Portal