Resource Guide: Vulnerability Scans and Approved Scanning Vendors

The PCI Data Security Standard (PCI DSS) has long included requirements for external vulnerability scans conducted by PCI Approved Scanning Vendors (ASVs), and these requirements have also been included in prior versions of some Self-Assessment Questionnaires (SAQs). For PCI DSS v4.x, requirements for external vulnerability scans performed by an ASV were added to SAQ A to help address common breaches that are targeting SAQ A merchant environments at alarming rates.  

This new resource guide is intended for anyone with questions about ASV scans, with a focus on SAQ A merchants since they are completing PCI DSS Requirement 11.3.2 for the first time.  

ASV scan requirements in SAQ A apply only to an e-commerce merchant system(s) that hosts the webpage that either 1) redirects payment transactions to a PCI DSS compliant third-party service provider (TPSP) or 2) includes an embedded payment page/form from a PCI DSS compliant TPSP. The intent is for merchants to minimize the risk of compromise by scanning for and resolving identified vulnerabilities that could potentially expose their link to the TPSP’s payment page.  

In this resource guide, the PCI Security Standards Council shares key considerations, educational resources, and frequently asked questions to help better understand PCI DSS Requirement 11.3.2, which requires evidence of passing external scans, performed by an ASV, at least once every three months.