What is an Approved Scanning Vendor (ASV)?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023
What is an Approved Scanning Vendor (ASV)?
Revolut Credit Card (Unsplash)

In order for an entity to attain PCI compliance, it needs to meet 12 Requirements set out in the PCI DSS (Payment Card Industry Data Security Standard).

One of these - 11.2.2 - requires an entity to "perform quarterly external network vulnerability scans through the Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC)."

These external scans, performed by the ASV, cover such things as an entity's network, website, IP address/es and devices. The role of the ASV is to highlight vulnerabilities that are present. It is left up to another Requirement - 6.1 - to result in the patching of these vulnerabilities (more on 6.1 later).

(Internal vulnerability scans - Requirement 11.2.1 - don't need to be performed by an ASV and can be done by a company that specialises in vulnerability scanning or, should you have one or more of them, qualified and independent staff within your business.)

While a Qualified Security Assessor (QSA) oversees the whole operation of meeting the 12 Requirements, an ASV can either be part of a QSA's business or separate to the QSA.

Becoming an ASV isn't a simple case of filling out a few forms and sending in an application. There are only a handful scattered around the world and they all have to meet stringent guidelines set out by the PCI SSC to be deemed worthy.

Requirement 6.1 was mentioned earlier, as it also centres around vulnerabilities. Unlike external and internal scans that highlight vulnerabilities, 6.1 requires an entity to "establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. "high," "medium," or "low") to newly discovered security vulnerabilities."

An ASV isn't needed to perform this. It can be done by a service that sources patches - CVEs - for any vulnerability found during a scan and informs the entity of the risk - severity - level of each.

One such service is SecAlerts, which acts as the 'middle-man' between software vendors and their clients. It saves valuable time and effort by matching vulnerabilities - CVEs - and zero-days to a company's software. SecAlerts might not be an ASV but it is a necessary part of PCI compliance.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203