Do You Need PCI ASV Scans, And What Is The Rationale Behind It?


Payment Card Industry Data Security Standards (PCI DSS) serve as a pivotal framework set forth by the PCI Security Standard Council (PCI SSC) for entities engaged in storing, processing, or transmitting cardholder data. Globally recognized, PCI DSS sees periodic updates, with the latest version, 3.2.1, unveiled in May 2018. Notably, the standard explicitly emphasizes vulnerability scanning (Requirement 11.2) and penetration testing (Requirement 11.3).

Understanding PCI DSS Vulnerability Scanning Requirements:

Requirement 11.2 mandates that a covered entity must conduct both internal and external scans on a quarterly basis and after any significant changes occur within the network. These changes include the installation of new system components, alterations to network topology, updates to firewall rules, and upgrades to products. The additional stipulations are as follows:

  1. Quarterly internal scans with subsequent rescan to confirm the resolution of all high-risk vulnerabilities (Requirement 11.2.1).
  2. Quarterly external scans and rescans conducted by an Approved Scanning Vendor (ASV) (Requirement 11.2.2).
  3. Internal and external scans and rescans are required following any significant changes in the network (Requirement 11.2.3).

For Requirements 11.2.1 and 11.2.3, qualified internal personnel or a third-party vendor can perform the necessary scans, and the vendor need not be an ASV. However, for Requirement 11.2.2, an ASV accredited by PCI SSC must conduct the required scans.

Approved Security Vendor (ASV) Defined:

An ASV, as defined by the ASV Program Guide (v3.0), is a company qualified by PCI SSC for external vulnerability scanning services in line with PCI DSS Requirement 11.2.2. The PCI SSC’s ASV Scan validation lab ensures a vendor’s scanning solution meets the necessary standards, and the guide outlines the responsibilities of ASVs.

How can ESOF PCI ASV by TAC Security help you?

ESOF PCI ASV serves as a comprehensive and efficient tool to support your PCI compliance efforts. As your trusted Approved Scanning Vendor partner, ESOF PCI ASV provides a seamlessly integrated platform that brings together all the necessary elements for PCI compliance within a unified, cloud-based system. This consolidation streamlines processes related to data collection, identification, and remediation, providing organizations with a current and transparent overview of their PCI status. Move away from fragmented solutions and adopt a cohesive approach to enhance the protection of your payment card data.

Navigating the complexities of PCI DSS security testing is simplified with TAC Security. With a comprehensive approach and a commitment to meeting compliance obligations, our platform and experts ensure a holistic and efficient security testing solution for your organization. Reach out to our experts today to enhance your PCI DSS compliance journey.

Related Posts

Data Sheet – ESOF Prediction Solution Brief



Survey Report

The Future of Risk
and Vulnerability Management!

Switch to Next Generation
Vulnerability Management - ESOF

Contact Us

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Data Sheet – ESOF AppSec

    Data Sheet – ESOF VMP

    Data Sheet – ESOF VMDR